Renseignement sur les menaces

Suisse

209.99.187.19

FAI SKN Subnet & Telecom Ltd Première vue 07/06/2026 00:44 UTC Dernière vue 07/06/2026 07:11 UTC Risque Moyen

Période analysée : 2026-03-10 → 2026-06-08

risque 49/100 — MITRE T1046

Base IP Signaler JSON CSV STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Moyen · Risque max (7j) Moyen

Synthèse exécutive

Profil de menace

Score de risque 63/100 Moyen

Première observation 07/06/2026 00:44 UTC

Dernière observation 07/06/2026 07:11 UTC

Événements (période) 1,833

MITRE ATT&CK principal T1046

risque 49/100 — MITRE T1046

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « port_scan_syn » (signaux protocolaires) · confiance 100%

Comparaison ASN / FAI

ASN 402253 · 209.99.184.0/21 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 1,833 événements sur la période pour cette IP.

209.99.185.59 Sonde port 08/06/2026 19:44 UTC
209.99.187.52 Sonde port 08/06/2026 19:43 UTC
209.99.190.113 Sonde SSH 08/06/2026 16:22 UTC
209.99.187.91 Sonde port 1723/TCP 07/06/2026 22:52 UTC
209.99.188.147 Sonde port 07/06/2026 06:26 UTC
209.99.191.9 Scan de ports 06/06/2026 15:26 UTC
209.99.189.177 Sonde SSH 26/05/2026 21:16 UTC
209.99.184.233 telnet attack 24/05/2026 05:42 UTC

Événements (filtres)

1,833

Première observation

07/06/2026 00:44 UTC

Dernière observation

07/06/2026 07:11 UTC

Dernière activité (filtres)

07/06/2026 07:11 UTC

Événements 7j

1,833

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 1,207 HTTPS TCP 304 SAP ICM TCP 152 ELASTICSEARCH TCP 152 MONGODB TCP 7 MONGODB SHARD TCP 2 MONGODB CONFIG TCP 2 MONGODB HTTP TCP 2 PROMETHEUS TCP 1 INFLUXDB TCP 1 WEBLOGIC SSL TCP 1 WEBSPHERE TCP 1 HTTP ALT 8880 TCP 1

HTTP

1,207

HTTPS

304

SAP ICM

152

ELASTICSEARCH

152

MONGODB

MONGODB SHARD

Géolocalisation

Origine réseau déclarée

Suisse unknown unknown

FAI / réseau

Opérateur et dernière activité ban

SKN Subnet & Telecom Ltd 0 Port 9443 port_scan_syn

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Reconnaissance

Chaîne d'attaque

recon

Aperçu payload

GET /web/favicon.ico HTTP/1.1 Host: www.blacklistip.com:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple

Port / service

9443 · HTTPS

Technique MITRE

T1046

Persona capteur

mail.sensor-1.internal

Corrélations comportementales

Campagne ports

Recommandation

Surveiller

Confiance

100%

Famille de menace

scanner

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

1,833 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

1833 événement(s) — page 2/37

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
07/06/2026 07:11:36 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan de ports	Élevée	Moyen · 47
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_port_scan_fast Cible HTTP GET /README.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /README.txt Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) SSRF Any-address SSRF Ligne de requête `GET /README.txt HTTP/1.1` User-Agent Mozilla/5.0 (CentOS; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /README.txt HTTP/1.1 Host: www.blacklistip.com:9200 User-Agent: Mozilla/5.0 (CentOS; Linux i686) AppleWebKit/537.36 (KHTML Requête brute (extrait) GET /README.txt HTTP/1.1 Host: www.blacklistip.com:9200 User-Agent: Mozilla/5.0 (CentOS; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "880ccd94de3df3df7e30e5ba423ae6bc963a0412", "http_host_hash": "ed2de66492dda3548e78c5a14cea344abaddd118", "http_target_hash": "ab9489e2835a4c90f6af65db2a350e9fbed45704", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 252, "payload_entropy": 5.427197988811317, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 402253, "country": "CH", "dst_port": 9200, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 40, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 15 }, "risk_score": 47, "tag_count": 3, "anomaly_count": 0, "campaign_key": "c5e582e8728e324f8ed7a74f6610a26ef4dfd814", "event_fingerprint": "7109a0d2bcaac13cf770753de02a2543425b59e1", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 226, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0324" ], "matched_pattern_names": [ "SSRF Any-address SSRF" ], "pattern_ids": [ "pat-0324" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 15, "risk_score": 47, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "elasticsearch", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0ccaa57cb81d057e9a9294ab15f754fd", "payload_hash": "04e94006ed14ec430ae786a26a882b7d", "path_pattern_hash": "f1da2ac495442188b42e61002c12ea20" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 47 }, "payload_preview": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (CentOS; Linux i686) AppleWebKit\/537.36 (KHTML", "method": "GET", "path": "\/README.txt", "user_agent": "Mozilla\/5.0 (CentOS; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/README.txt HTTP\/1.1", "request_sample": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (CentOS; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (CentOS; Linux i686) AppleWebKit\/537.36 (KHTML", "evidence": { "method": "GET", "path": "\/README.txt", "user_agent": "Mozilla\/5.0 (CentOS; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/README.txt HTTP\/1.1", "request_sample": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (CentOS; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (CentOS; Linux i686) AppleWebKit\/537.36 (KHTML", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "590c99bb95680f31dcbe4b007fafe94f954f5e08", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 12, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_port_scan_fast" ] }
07/06/2026 07:11:36 UTC	TCP	9090 · HTTP	http	Scan de ports	Élevée	Moyen · 53
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_assets Cible HTTP GET /assets/favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9090 Chemin / cible /assets/favicon.ico Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 941130 Ligne de requête `GET /assets/favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /assets/favicon.ico HTTP/1.1 Host: www.blacklistip.com:9090 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap Requête brute (extrait) GET /assets/favicon.ico HTTP/1.1 Host: www.blacklistip.com:9090 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Connection: close Accept: text/html,application/xhtml+ Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a20746578742f706c61696e3b2076657273696f6e3d302e302e340d0a436f6e74656e742d4c656e6774683a2036360d0a0d0a232048454c502075702031206966207461726765742069732075702e0a2320545950452075702067617567650a75707b", "emulator_response_len": 146, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "ico", "http_ua_hash": "009708ab8b415efb3877101f8f03a9c41d918a5b", "http_host_hash": "e862b30a39ca6c6e44401c5388b26fc59bec543c", "http_target_hash": "9deb03ee93b5c35fc64945fba2497110debf3fc9", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 386, "payload_entropy": 5.46964632632644, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9090, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.9, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 53, "tag_count": 5, "anomaly_count": 0, "campaign_key": "354f462279495d0234fcc378446d9b94c83db5eb", "event_fingerprint": "a345b8aacd8af5722c0d598cfca78982bb0943d3", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 226, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0284" ], "matched_pattern_names": [ "CRS 941130" ], "pattern_ids": [ "pat-0284" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 53, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0e0a16705ffce731cc88304d238f489d", "payload_hash": "13e19c18001d047caaf4eb2099b57a36", "path_pattern_hash": "69c03841151170259bac878d0fbd4b66" }, "target_context": { "dst_port": 9090, "service": "http", "service_name": "http", "risk_score": 53 }, "payload_preview": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "method": "GET", "path": "\/assets\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/assets\/favicon.ico HTTP\/1.1", "request_sample": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+", "payload_snippet": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "evidence": { "method": "GET", "path": "\/assets\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/assets\/favicon.ico HTTP\/1.1", "request_sample": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+", "payload_snippet": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e99316bf01a1a72f2bd3d63f04312d2e845cd380", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9090" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 12, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_assets", "net_port_scan_fast" ] }
07/06/2026 07:11:36 UTC	TCP	9443 · HTTPS	https	Scan de ports	Élevée	Moyen · 50
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) ES admin GET HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /administrator/manifests/files/joomla.xml HTTP/1.1 Host: www.blacklistip.com:9443 User-Agent: Mozilla/5.0 (X11; Linux i686 Requête brute (extrait) GET /administrator/manifests/files/joomla.xml HTTP/1.1 Host: www.blacklistip.com:9443 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:1.9.6.20) Gecko/ Firefox/5.0 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 241, "payload_entropy": 5.285430434715622, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "https", "app_proto": "https", "asn": 402253, "country": "CH", "dst_port": 9443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "9f6b0420b9eb131217ffa91d20600329bbbfb575", "event_fingerprint": "66de93e93356302b7cdade60cabf69b7305865e4", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 196, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream" ], "matched_patterns": [ "pat-0341", "pat-0600" ], "matched_pattern_names": [ "ES admin GET", "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0341", "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 50, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "2994c263657f88de2d50f23b90756d27", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 50 }, "payload_preview": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686", "request_sample": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.6.20) Gecko\/ Firefox\/5.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686", "evidence": { "request_sample": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.6.20) Gecko\/ Firefox\/5.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "aa84284874987640443a41a210e72b6f458c5b41", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 12, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_port_scan_fast", "tor_exit_probe", "websphere_probe" ] }
07/06/2026 07:11:36 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan de ports	Élevée	Moyen · 47
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_port_scan_fast Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /favicon.ico Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 941130 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /favicon.ico HTTP/1.1 Host: www.blacklistip.com:9200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: www.blacklistip.com:9200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Connection: close Accept: text/html,application/xhtml+xml,app Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "009708ab8b415efb3877101f8f03a9c41d918a5b", "http_host_hash": "ed2de66492dda3548e78c5a14cea344abaddd118", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 379, "payload_entropy": 5.478994241944828, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 402253, "country": "CH", "dst_port": 9200, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 40, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 15 }, "risk_score": 47, "tag_count": 3, "anomaly_count": 0, "campaign_key": "c5e582e8728e324f8ed7a74f6610a26ef4dfd814", "event_fingerprint": "8458a949685400636ff9382395cb170734c39783", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 226, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0284" ], "matched_pattern_names": [ "CRS 941130" ], "pattern_ids": [ "pat-0284" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 15, "risk_score": 47, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "elasticsearch", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0e0a16705ffce731cc88304d238f489d", "payload_hash": "a6f74f0b912c3cdc1a7172089a7e7d14", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 47 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+xml,app", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+xml,app", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2d91449a7dbcfcbfe2f4629ccd9be70863dedc8e", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 12, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_port_scan_fast" ] }
07/06/2026 07:11:36 UTC	TCP	9090 · HTTP	http	Scan de ports	Élevée	Moyen · 52
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_port_scan_fast Cible HTTP GET /web/favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9090 Chemin / cible /web/favicon.ico Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 941130 Ligne de requête `GET /web/favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /web/favicon.ico HTTP/1.1 Host: www.blacklistip.com:9090 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple Requête brute (extrait) GET /web/favicon.ico HTTP/1.1 Host: www.blacklistip.com:9090 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Connection: close Accept: text/html,application/xhtml+xml Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a20746578742f706c61696e3b2076657273696f6e3d302e302e340d0a436f6e74656e742d4c656e6774683a2036360d0a0d0a232048454c502075702031206966207461726765742069732075702e0a2320545950452075702067617567650a75707b", "emulator_response_len": 146, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "ico", "http_ua_hash": "009708ab8b415efb3877101f8f03a9c41d918a5b", "http_host_hash": "e862b30a39ca6c6e44401c5388b26fc59bec543c", "http_target_hash": "fbd790bdeb362b00d49b0fdb2cc8a77d3bcea549", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 383, "payload_entropy": 5.476526189242528, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9090, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 52, "tag_count": 4, "anomaly_count": 0, "campaign_key": "13e8fb57e883517660546c2e8899f440a60eb584", "event_fingerprint": "006caf1f165d956d8bc91fa8c7e0b7f9caee7ada", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 226, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0284" ], "matched_pattern_names": [ "CRS 941130" ], "pattern_ids": [ "pat-0284" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 52, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0e0a16705ffce731cc88304d238f489d", "payload_hash": "ff61bc66fd44038b0c94a65bd98d6baa", "path_pattern_hash": "53177baa3eea1f41ac064a836a2fa9b0" }, "target_context": { "dst_port": 9090, "service": "http", "service_name": "http", "risk_score": 52 }, "payload_preview": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple", "method": "GET", "path": "\/web\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/web\/favicon.ico HTTP\/1.1", "request_sample": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+xml", "payload_snippet": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple", "evidence": { "method": "GET", "path": "\/web\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/web\/favicon.ico HTTP\/1.1", "request_sample": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+xml", "payload_snippet": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "88fdf94b4b24bee19b4c5dc82f08ac700d69c6ce", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9090" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 12, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_port_scan_fast" ] }
07/06/2026 07:11:36 UTC	TCP	9443 · HTTPS	https	Scan de ports	Élevée	Moyen · 49
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF — Recommandation Surveiller Tags http_alt_port http_get_probe mozi_pattern net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /htaccess.txt HTTP/1.1 Host: www.blacklistip.com:9443 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:109.0) Gecko Requête brute (extrait) GET /htaccess.txt HTTP/1.1 Host: www.blacklistip.com:9443 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 231, "payload_entropy": 5.282512737871491, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "https", "app_proto": "https", "asn": 402253, "country": "CH", "dst_port": 9443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25 }, "risk_score": 49, "tag_count": 5, "anomaly_count": 0, "campaign_key": "1797796c690c3170e6bcd4d2c61c6adc1d312487", "event_fingerprint": "66de93e93356302b7cdade60cabf69b7305865e4", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 196, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 49, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "02e5fcd1c5e7bb2a00ba17299522f538", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 49 }, "payload_preview": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64; rv:109.0) Gecko", "request_sample": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/114.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64; rv:109.0) Gecko", "evidence": { "request_sample": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/114.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64; rv:109.0) Gecko", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7789c7268cc9154eed6c65a3e14458fddbfd2de2", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 12, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_port_scan_fast", "websphere_probe" ], "behavior_alert_count": 1, "behavior_priority": 72 }
07/06/2026 07:11:36 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan de ports	Élevée	Moyen · 55
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_port_scan_fast Cible HTTP GET /images/favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /images/favicon.ico Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 941130 Ligne de requête `GET /images/favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /images/favicon.ico HTTP/1.1 Host: www.blacklistip.com:9200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap Requête brute (extrait) GET /images/favicon.ico HTTP/1.1 Host: www.blacklistip.com:9200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Connection: close Accept: text/html,application/xhtml+ Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "ico", "http_ua_hash": "009708ab8b415efb3877101f8f03a9c41d918a5b", "http_host_hash": "ed2de66492dda3548e78c5a14cea344abaddd118", "http_target_hash": "c3e02c33e4e599b13776537fef445a739c5bf5a1", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 386, "payload_entropy": 5.470180359842565, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 402253, "country": "CH", "dst_port": 9200, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 40, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 15 }, "risk_score": 55, "tag_count": 4, "anomaly_count": 0, "campaign_key": "343d86788912adb29cecdb55f9194dedef9b3420", "event_fingerprint": "cdbe684357ac9a219dd845245a87b72bdbf72721", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 226, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0284" ], "matched_pattern_names": [ "CRS 941130" ], "pattern_ids": [ "pat-0284" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 15, "risk_score": 55, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "elasticsearch", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0e0a16705ffce731cc88304d238f489d", "payload_hash": "3a19f9eca8313a3344168daf8c4f8b9c", "path_pattern_hash": "ebfc9cc147746028ca30139889e0c240" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 55 }, "payload_preview": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "method": "GET", "path": "\/images\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/images\/favicon.ico HTTP\/1.1", "request_sample": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+", "payload_snippet": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "evidence": { "method": "GET", "path": "\/images\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/images\/favicon.ico HTTP\/1.1", "request_sample": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+", "payload_snippet": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f4b3c31b858deda0d91835a808c84ebf428713f5", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 12, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_port_scan_fast" ] }
07/06/2026 07:11:36 UTC	TCP	9443 · HTTPS	https	Scan de ports	Élevée	Moyen · 49
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF — Recommandation Surveiller Tags http_alt_port http_get_probe mozi_pattern net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /joomla.xml HTTP/1.1 Host: www.blacklistip.com:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKi Requête brute (extrait) GET /joomla.xml HTTP/1.1 Host: www.blacklistip.com:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36 Connection: close Accept: / Accept-Language: en Accept-Encodin Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 267, "payload_entropy": 5.412636286521311, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "https", "app_proto": "https", "asn": 402253, "country": "CH", "dst_port": 9443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25 }, "risk_score": 49, "tag_count": 5, "anomaly_count": 0, "campaign_key": "1797796c690c3170e6bcd4d2c61c6adc1d312487", "event_fingerprint": "66de93e93356302b7cdade60cabf69b7305865e4", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 196, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 49, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "1a8341f05238cd63c9e107873162530c", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 49 }, "payload_preview": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKi", "request_sample": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/118.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encodin", "payload_snippet": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKi", "evidence": { "request_sample": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/118.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encodin", "payload_snippet": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKi", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "098c79795ca333039978284e842fa7573236ae2c", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 12, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_port_scan_fast", "websphere_probe" ] }
07/06/2026 07:11:36 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan de ports	Élevée	Moyen · 56
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_assets Cible HTTP GET /assets/favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /assets/favicon.ico Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 941130 Ligne de requête `GET /assets/favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /assets/favicon.ico HTTP/1.1 Host: www.blacklistip.com:9200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap Requête brute (extrait) GET /assets/favicon.ico HTTP/1.1 Host: www.blacklistip.com:9200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Connection: close Accept: text/html,application/xhtml+ Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "ico", "http_ua_hash": "009708ab8b415efb3877101f8f03a9c41d918a5b", "http_host_hash": "ed2de66492dda3548e78c5a14cea344abaddd118", "http_target_hash": "9deb03ee93b5c35fc64945fba2497110debf3fc9", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 386, "payload_entropy": 5.471860712264972, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 402253, "country": "CH", "dst_port": 9200, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 50, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 50, "novelty": 25 }, "risk_score": 56, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3e9caa612342c1e02de2775e89c033c97cf800d0", "event_fingerprint": "a3e661f9dd493aea711e2464e1b36e1ae2e23758", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 226, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0284" ], "matched_pattern_names": [ "CRS 941130" ], "pattern_ids": [ "pat-0284" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 50, "novelty": 25, "risk_score": 56, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "elasticsearch", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0e0a16705ffce731cc88304d238f489d", "payload_hash": "bb85b3fb4189ad71c34cb8d6806c9a0a", "path_pattern_hash": "69c03841151170259bac878d0fbd4b66" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 56 }, "payload_preview": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "method": "GET", "path": "\/assets\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/assets\/favicon.ico HTTP\/1.1", "request_sample": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+", "payload_snippet": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "evidence": { "method": "GET", "path": "\/assets\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/assets\/favicon.ico HTTP\/1.1", "request_sample": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+", "payload_snippet": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "54cfdbab542c8f8b5aca26024122623852266c5f", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 12, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_assets", "net_port_scan_fast" ] }
07/06/2026 07:11:36 UTC	TCP	9443 · HTTPS	https	Scan de ports	Élevée	Moyen · 49
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF — Recommandation Surveiller Tags http_alt_port http_get_probe mozi_pattern net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /language/en-GB/en-GB.xml HTTP/1.1 Host: www.blacklistip.com:9443 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:1.9.6.20) G Requête brute (extrait) GET /language/en-GB/en-GB.xml HTTP/1.1 Host: www.blacklistip.com:9443 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:1.9.6.20) Gecko/ Firefox/12.0 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 226, "payload_entropy": 5.303760777858802, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "https", "app_proto": "https", "asn": 402253, "country": "CH", "dst_port": 9443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25 }, "risk_score": 49, "tag_count": 5, "anomaly_count": 0, "campaign_key": "1797796c690c3170e6bcd4d2c61c6adc1d312487", "event_fingerprint": "66de93e93356302b7cdade60cabf69b7305865e4", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 196, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 49, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4efcccb7cbe65ef5956c1603ef83af86", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 49 }, "payload_preview": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.6.20) G", "request_sample": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.6.20) Gecko\/ Firefox\/12.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.6.20) G", "evidence": { "request_sample": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.6.20) Gecko\/ Firefox\/12.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.6.20) G", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0b3eff2a1bf555d743c42f4b9457f9ad1a58b343", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 12, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_port_scan_fast", "websphere_probe" ] }
07/06/2026 07:11:36 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan de ports	Élevée	Moyen · 55
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_port_scan_fast Cible HTTP GET /web/favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /web/favicon.ico Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 941130 Ligne de requête `GET /web/favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /web/favicon.ico HTTP/1.1 Host: www.blacklistip.com:9200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple Requête brute (extrait) GET /web/favicon.ico HTTP/1.1 Host: www.blacklistip.com:9200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Connection: close Accept: text/html,application/xhtml+xml Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "ico", "http_ua_hash": "009708ab8b415efb3877101f8f03a9c41d918a5b", "http_host_hash": "ed2de66492dda3548e78c5a14cea344abaddd118", "http_target_hash": "fbd790bdeb362b00d49b0fdb2cc8a77d3bcea549", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 383, "payload_entropy": 5.47875792024063, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 402253, "country": "CH", "dst_port": 9200, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 40, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 15 }, "risk_score": 55, "tag_count": 4, "anomaly_count": 0, "campaign_key": "343d86788912adb29cecdb55f9194dedef9b3420", "event_fingerprint": "17ae3f0a832c78c70de147484b1fd1ac3acb1d59", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 226, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0284" ], "matched_pattern_names": [ "CRS 941130" ], "pattern_ids": [ "pat-0284" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 15, "risk_score": 55, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "elasticsearch", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0e0a16705ffce731cc88304d238f489d", "payload_hash": "ca695193a68cb42c4f97a16a14c319ca", "path_pattern_hash": "53177baa3eea1f41ac064a836a2fa9b0" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 55 }, "payload_preview": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple", "method": "GET", "path": "\/web\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/web\/favicon.ico HTTP\/1.1", "request_sample": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+xml", "payload_snippet": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple", "evidence": { "method": "GET", "path": "\/web\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/web\/favicon.ico HTTP\/1.1", "request_sample": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+xml", "payload_snippet": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "13c96c2833a480851cf27feb0edc7ee1f0fe00f5", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 12, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_port_scan_fast" ] }
07/06/2026 07:11:36 UTC	TCP	9443 · HTTPS	https	Scan de ports	Élevée	Moyen · 49
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF — Recommandation Surveiller Tags http_alt_port http_get_probe mozi_pattern net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /modules/custom.xml HTTP/1.1 Host: www.blacklistip.com:9443 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) G Requête brute (extrait) GET /modules/custom.xml HTTP/1.1 Host: www.blacklistip.com:9443 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 234, "payload_entropy": 5.339739942820831, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "https", "app_proto": "https", "asn": 402253, "country": "CH", "dst_port": 9443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25 }, "risk_score": 49, "tag_count": 5, "anomaly_count": 0, "campaign_key": "1797796c690c3170e6bcd4d2c61c6adc1d312487", "event_fingerprint": "66de93e93356302b7cdade60cabf69b7305865e4", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 196, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 49, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f45359782cb87f0b2d8ac0dd4f5d1209", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 49 }, "payload_preview": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) G", "request_sample": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko\/20100101 Firefox\/88.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) G", "evidence": { "request_sample": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko\/20100101 Firefox\/88.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) G", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0cc359cade446615a855a67fc6a7e2bc25df6b81", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 12, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_port_scan_fast", "websphere_probe" ], "behavior_alert_count": 1, "behavior_priority": 72 }
07/06/2026 07:11:36 UTC	TCP	9443 · HTTPS	https	Scan de ports	Élevée	Moyen · 49
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF — Recommandation Surveiller Tags http_alt_port http_get_probe mozi_pattern net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /plugins/system/debug/debug.xml HTTP/1.1 Host: www.blacklistip.com:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X Requête brute (extrait) GET /plugins/system/debug/debug.xml HTTP/1.1 Host: www.blacklistip.com:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14) AppleWebKit/620.32 (KHTML, like Gecko) Version/17.1.10 Safari/620.32 Connection: close Accept: / Accept-Language: en Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 281, "payload_entropy": 5.382915967978742, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "https", "app_proto": "https", "asn": 402253, "country": "CH", "dst_port": 9443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25 }, "risk_score": 49, "tag_count": 5, "anomaly_count": 0, "campaign_key": "1797796c690c3170e6bcd4d2c61c6adc1d312487", "event_fingerprint": "66de93e93356302b7cdade60cabf69b7305865e4", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 196, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 49, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b3a2f1bc7f4f8a9d5ca1227717c66f66", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 49 }, "payload_preview": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X", "request_sample": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14) AppleWebKit\/620.32 (KHTML, like Gecko) Version\/17.1.10 Safari\/620.32\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\n", "payload_snippet": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X", "evidence": { "request_sample": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14) AppleWebKit\/620.32 (KHTML, like Gecko) Version\/17.1.10 Safari\/620.32\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\n", "payload_snippet": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3df4b4bcffc621368e0b3b7c6b715a9d09d33530", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 12, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_port_scan_fast", "websphere_probe" ] }
07/06/2026 07:11:36 UTC	TCP	9443 · HTTPS	https	Scan de ports	Élevée	Moyen · 49
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF — Recommandation Surveiller Tags http_alt_port http_get_probe mozi_pattern net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /README.txt HTTP/1.1 Host: www.blacklistip.com:9443 User-Agent: Mozilla/5.0 (ZZ; Linux x86_64) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /README.txt HTTP/1.1 Host: www.blacklistip.com:9443 User-Agent: Mozilla/5.0 (ZZ; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 250, "payload_entropy": 5.460466550972928, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "https", "app_proto": "https", "asn": 402253, "country": "CH", "dst_port": 9443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25 }, "risk_score": 49, "tag_count": 5, "anomaly_count": 0, "campaign_key": "1797796c690c3170e6bcd4d2c61c6adc1d312487", "event_fingerprint": "66de93e93356302b7cdade60cabf69b7305865e4", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 196, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 49, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "a29438302263d2f47dac01c954db1109", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 49 }, "payload_preview": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (ZZ; Linux x86_64) AppleWebKit\/537.36 (KHTML, ", "request_sample": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (ZZ; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/137.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (ZZ; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "evidence": { "request_sample": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (ZZ; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/137.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (ZZ; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "87c4db1bdcb4104ad7b189fd800c73584b385720", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 12, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_port_scan_fast", "websphere_probe" ] }
07/06/2026 07:11:35 UTC	TCP	7002 · HTTP	http	Scan de ports	Élevée	Moyen · 56
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_assets Cible HTTP GET /assets/favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /assets/favicon.ico Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 941130 Ligne de requête `GET /assets/favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /assets/favicon.ico HTTP/1.1 Host: www.blacklistip.com:7002 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap Requête brute (extrait) GET /assets/favicon.ico HTTP/1.1 Host: www.blacklistip.com:7002 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Connection: close Accept: text/html,application/xhtml+ Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "ico", "http_ua_hash": "009708ab8b415efb3877101f8f03a9c41d918a5b", "http_host_hash": "d07f7468bbadd08707c4d6fcef0afcdb71aea266", "http_target_hash": "9deb03ee93b5c35fc64945fba2497110debf3fc9", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 386, "payload_entropy": 5.470916339268598, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 7002, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.1, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 56, "tag_count": 5, "anomaly_count": 0, "campaign_key": "6ffb9a38ac58f644530a48a58d737c6ba88fcac3", "event_fingerprint": "1adaee107539e6bd55c5c9f7e812a791a8b34a0f", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0284" ], "matched_pattern_names": [ "CRS 941130" ], "pattern_ids": [ "pat-0284" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 56, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0e0a16705ffce731cc88304d238f489d", "payload_hash": "df2e6c23093c20567dbcde01b217373e", "path_pattern_hash": "69c03841151170259bac878d0fbd4b66" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "method": "GET", "path": "\/assets\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/assets\/favicon.ico HTTP\/1.1", "request_sample": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+", "payload_snippet": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "evidence": { "method": "GET", "path": "\/assets\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/assets\/favicon.ico HTTP\/1.1", "request_sample": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+", "payload_snippet": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c338fc03b8d2ebad40849dd6394e5a207702143a", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 4, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_assets", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8443 · HTTPS	https	Scan de ports	Élevée	Moyen · 47
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF — Recommandation Surveiller Tags http_alt_port http_get_probe mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 Host: www.blacklistip.com:8443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 Requête brute (extrait) GET / HTTP/1.1 Host: www.blacklistip.com:8443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.6 Safari/605.1.15 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 257, "payload_entropy": 5.329305809667793, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "https", "app_proto": "https", "asn": 402253, "country": "CH", "dst_port": 8443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 3.2, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 47, "tag_count": 4, "anomaly_count": 0, "campaign_key": "2aa17a6b515596b20eaea8d57184d62da9f48dfc", "event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 47, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "1fb4e2a605bb693227a8b8d87af31249", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 8443, "service": "https", "service_name": "https", "risk_score": 47 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15", "request_sample": "GET \/ HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/15.6 Safari\/605.1.15\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/15.6 Safari\/605.1.15\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "273bbee3b962c5ea57395b003b5d0c7639785e72", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "8443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 5, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8080 · HTTP	http	Scan de ports	Élevée	Moyen · 42
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 6 Recommandation Surveiller Tags 950470:nosqli-3 net_web_probe Cible HTTP GET /joomla.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /joomla.xml Pourquoi cette classification : Tags WAF: nosqli-3 · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /joomla.xml HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.4 Safari/605.1.15 Règles WAF nosqli-3 Payload (extrait) GET /joomla.xml HTTP/1.1 Host: www.blacklistip.com:8080 User-Agent: Mozilla/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKi Requête brute (extrait) GET /joomla.xml HTTP/1.1 Host: www.blacklistip.com:8080 User-Agent: Mozilla/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.4 Safari/605.1.15 Connection: close Accept: / Accept-Language: en Accept-Encodin Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "xml", "http_ua_hash": "57ccd1ae1eafdd78423b7516cbfc9a17eae53b7e", "http_host_hash": "3f64adb032f282a9da2d7027e8579434fd94567f", "http_target_hash": "b5d12a1bd786a4e8ded40b52d9812a90023251c0", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 267, "payload_entropy": 5.340936755387373, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8080, "risk_waf": 32, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "28ffa920a480bd1b540cd5abb003186a4ee07e79", "event_fingerprint": "efa2980f06fb17444b708486b28e77aa23db729e", "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 42, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b70897524e02be2ff5eb466ef71a9bae", "payload_hash": "cd7fe332571e98da8776d822cd8c6a3e", "path_pattern_hash": "37b7494e384a970799b9ec3c4b123d60" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKi", "method": "GET", "path": "\/joomla.xml", "user_agent": "Mozilla\/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/18.4 Safari\/605.1.15", "waf_tags": [ "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/joomla.xml HTTP\/1.1", "request_sample": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/18.4 Safari\/605.1.15\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encodin", "payload_snippet": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKi", "evidence": { "method": "GET", "path": "\/joomla.xml", "user_agent": "Mozilla\/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/18.4 Safari\/605.1.15", "waf_tags": [ "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/joomla.xml HTTP\/1.1", "request_sample": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/18.4 Safari\/605.1.15\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encodin", "payload_snippet": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKi", "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "17f85248e1992cb96c8443d1a305995525b9724a", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 5, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950470:nosqli-3", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8880 · HTTP	http	Scan de ports	Élevée	Moyen · 49
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_web_probe Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8880 Chemin / cible / Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Mobile/15E148 Safari/604.1 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: www.blacklistip.com:8880 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 Requête brute (extrait) GET / HTTP/1.1 Host: www.blacklistip.com:8880 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Mobile/15E148 Safari/604.1 Connection: close Accept: / Accept-Language: en Accept-Enco Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "bba9971861d53ab2dd79cf9c3e25c0f8437bd3b8", "http_host_hash": "6f2c22ac9e61885d82ed7f07dd56e4791b76cc36", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 270, "payload_entropy": 5.329036317464518, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8880, "risk_waf": 72, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.6, "risk_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 49, "tag_count": 4, "anomaly_count": 0, "campaign_key": "9c30ce3198befc881fb2b9eff62dd52155021f5f", "event_fingerprint": "d02d0cf983692d58cdb0cfca4295b2fba7206c25", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 49, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6315c86e833f530f95aef463d5336739", "payload_hash": "1f8badd5dbbdc01e27f5b69a3a4fd640", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8880, "service": "http", "service_name": "http", "risk_score": 49 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.4.1 Mobile\/15E148 Safari\/604.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.4.1 Mobile\/15E148 Safari\/604.1\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Enco", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.4.1 Mobile\/15E148 Safari\/604.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.4.1 Mobile\/15E148 Safari\/604.1\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Enco", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "56e01e85bef4fae86c0caa336406bf7420e3cbd5", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8880" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 6, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8000 · SAP ICM	sap-icm	Scan de ports	Élevée	Moyen · 47
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF — Recommandation Surveiller Tags http_get_probe mozi_pattern net_sap_web_probe sap_icm_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8000 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Payload (extrait) GET /modules/custom.xml HTTP/1.1 Host: www.blacklistip.com:8000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0 Requête brute (extrait) GET /modules/custom.xml HTTP/1.1 Host: www.blacklistip.com:8000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c", "emulator_response_len": 141, "bytes_in": 238, "payload_entropy": 5.249480788098909, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "sap-icm", "app_proto": "sap-icm", "asn": 402253, "country": "CH", "dst_port": 8000, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 48, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 2.1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 48, "novelty": 25 }, "risk_score": 47, "tag_count": 5, "anomaly_count": 0, "campaign_key": "f4d3bfae803bd07fc62331c16ac15c5323341684", "event_fingerprint": "40ac2e001fc92fc4c26729171b1b914e26c42c6a", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 48, "novelty": 25, "risk_score": 47, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "sap-icm", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "7d404852c5cd334fa04bc8ecb6ca61c9", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 8000, "service": "sap-icm", "service_name": "sap-icm", "risk_score": 47 }, "payload_preview": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0", "request_sample": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/121.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0", "evidence": { "request_sample": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/121.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1741e615d50088b96ca731c69538e97db280040f", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_icm", "service_banner": "honeypot-sap-icm", "service_os": "linux", "dst_port": "8000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 6, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe", "mozi_pattern", "net_sap_web_probe", "sap_icm_emulated", "sap_icm_payload" ] }
07/06/2026 07:11:35 UTC	TCP	8086 · HTTP	http	Scan de ports	Élevée	Moyen · 62
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /administrator/help/en-GB/toc.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8086 Chemin / cible /administrator/help/en-GB/toc.json Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) ET Joomla admin ES admin GET Probe /administrator/ ActiveMQ console Ligne de requête `GET /administrator/help/en-GB/toc.json HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /administrator/help/en-GB/toc.json HTTP/1.1 Host: www.blacklistip.com:8086 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv: Requête brute (extrait) GET /administrator/help/en-GB/toc.json HTTP/1.1 Host: www.blacklistip.com:8086 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a582d496e666c757864622d56657273696f6e3a20322e372e340d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2036370d0a0d0a7b226e616d65223a22686f6e6579706f742d696e666c7578222c226d6573", "emulator_response_len": 165, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 4, "http_path_ext": "json", "http_ua_hash": "d25e24a9f7324e7a323eaec384c2262cb1ea441e", "http_host_hash": "6ab244efad12802dd83aef956fed419ab36d629f", "http_target_hash": "617481da6f5867560cd2fdf70cb848ef7749246d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 241, "payload_entropy": 5.301915097818261, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8086, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 62, "tag_count": 8, "anomaly_count": 0, "campaign_key": "ad1a3a977d083ee45c81c96b775e5d46455ced84", "event_fingerprint": "2ba672ca07d2acc5705f6dc881e88c217f15a9a1", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606" ], "matched_pattern_names": [ "ET Joomla admin", "ES admin GET", "Probe \/administrator\/", "ActiveMQ console" ], "pattern_ids": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "066aecd038d1db8320cbececd50d0544", "payload_hash": "f2681903eca57b4813ac6a5a5fd0bf1b", "path_pattern_hash": "ffc23282dc35670d41d8f4e8dae550a1" }, "target_context": { "dst_port": 8086, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:", "method": "GET", "path": "\/administrator\/help\/en-GB\/toc.json", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:12.0) Gecko\/20100101 Firefox\/12.0", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1", "request_sample": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:12.0) Gecko\/20100101 Firefox\/12.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:", "evidence": { "method": "GET", "path": "\/administrator\/help\/en-GB\/toc.json", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:12.0) Gecko\/20100101 Firefox\/12.0", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1", "request_sample": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:12.0) Gecko\/20100101 Firefox\/12.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f4799cbc38fe8c3ec50331259cdb91274739e59e", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8086" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 6, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_admin_panel_probe", "http_admin_panel_scan", "http_probe_joomla", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	7002 · HTTP	http	Scan de ports	Élevée	Moyen · 55
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_web_probe Cible HTTP GET /web/favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /web/favicon.ico Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 941130 Ligne de requête `GET /web/favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /web/favicon.ico HTTP/1.1 Host: www.blacklistip.com:7002 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple Requête brute (extrait) GET /web/favicon.ico HTTP/1.1 Host: www.blacklistip.com:7002 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Connection: close Accept: text/html,application/xhtml+xml Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "ico", "http_ua_hash": "009708ab8b415efb3877101f8f03a9c41d918a5b", "http_host_hash": "d07f7468bbadd08707c4d6fcef0afcdb71aea266", "http_target_hash": "fbd790bdeb362b00d49b0fdb2cc8a77d3bcea549", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 383, "payload_entropy": 5.477806150066739, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 7002, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 4, "anomaly_count": 0, "campaign_key": "36ee5b826cf7831b05ba23496b98738543340260", "event_fingerprint": "33f16306236db8750668d3a05b507e3b2b05eb9f", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0284" ], "matched_pattern_names": [ "CRS 941130" ], "pattern_ids": [ "pat-0284" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0e0a16705ffce731cc88304d238f489d", "payload_hash": "45bc6c4dd12f48e9aecd5c5f9fe701a6", "path_pattern_hash": "53177baa3eea1f41ac064a836a2fa9b0" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple", "method": "GET", "path": "\/web\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/web\/favicon.ico HTTP\/1.1", "request_sample": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+xml", "payload_snippet": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple", "evidence": { "method": "GET", "path": "\/web\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/web\/favicon.ico HTTP\/1.1", "request_sample": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+xml", "payload_snippet": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf32f9f2aeb383b43d907994c5ab920d93712144", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 6, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8443 · HTTPS	https	Scan de ports	Élevée	Moyen · 47
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF — Recommandation Surveiller Tags http_alt_port http_get_probe mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Payload (extrait) GET /joomla/ HTTP/1.1 Host: www.blacklistip.com:8443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/201 Requête brute (extrait) GET /joomla/ HTTP/1.1 Host: www.blacklistip.com:8443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 227, "payload_entropy": 5.292857421020587, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "https", "app_proto": "https", "asn": 402253, "country": "CH", "dst_port": 8443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 3.2, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 47, "tag_count": 4, "anomaly_count": 0, "campaign_key": "2aa17a6b515596b20eaea8d57184d62da9f48dfc", "event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 47, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ec5e8a94eb5bcf77a9638f693fcfe9c8", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 8443, "service": "https", "service_name": "https", "risk_score": 47 }, "payload_preview": "GET \/joomla\/ HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko\/201", "request_sample": "GET \/joomla\/ HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko\/20100101 Firefox\/133.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/joomla\/ HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko\/201", "evidence": { "request_sample": "GET \/joomla\/ HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko\/20100101 Firefox\/133.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/joomla\/ HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko\/201", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e10fefc026282439f6d7f5d5bb9f9f115d0d13fe", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "8443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 6, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8080 · HTTP	http	Scan de ports	Élevée	Moyen · 60
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /language/en-GB/en-GB.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /language/en-GB/en-GB.xml Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /language/en-GB/en-GB.xml HTTP/1.1` User-Agent Mozilla/5.0 (ZZ; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /language/en-GB/en-GB.xml HTTP/1.1 Host: www.blacklistip.com:8080 User-Agent: Mozilla/5.0 (ZZ; Linux x86_64) AppleWebKit/5 Requête brute (extrait) GET /language/en-GB/en-GB.xml HTTP/1.1 Host: www.blacklistip.com:8080 User-Agent: Mozilla/5.0 (ZZ; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Connection: close Accept: / Accept-Language: en Accept-Encoding: Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "xml", "http_ua_hash": "cd032074e1745d018a2727c81550805bbb23e3cc", "http_host_hash": "3f64adb032f282a9da2d7027e8579434fd94567f", "http_target_hash": "f6e3ce41a1739f6e53ae9c792dd8feb5eae9a9a7", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 264, "payload_entropy": 5.428347581967717, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8080, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25 }, "risk_score": 60, "tag_count": 5, "anomaly_count": 0, "campaign_key": "dcbfac6705f19c40b3bb4f28c217d1d9a86765ec", "event_fingerprint": "9f76dc1357e7ddf7f7578801b8d1b1810292ba27", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 60, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "05310837b3d750a3a9b863cbd41a7d9d", "payload_hash": "ca55796cd539077e07c886ff54f0eba8", "path_pattern_hash": "99879359e0ccef25e57e05c0e6f11487" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 60 }, "payload_preview": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (ZZ; Linux x86_64) AppleWebKit\/5", "method": "GET", "path": "\/language\/en-GB\/en-GB.xml", "user_agent": "Mozilla\/5.0 (ZZ; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/132.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1", "request_sample": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (ZZ; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/132.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: ", "payload_snippet": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (ZZ; Linux x86_64) AppleWebKit\/5", "evidence": { "method": "GET", "path": "\/language\/en-GB\/en-GB.xml", "user_agent": "Mozilla\/5.0 (ZZ; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/132.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1", "request_sample": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (ZZ; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/132.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: ", "payload_snippet": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (ZZ; Linux x86_64) AppleWebKit\/5", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2adc23d181bc5e5caf06074df1f4516359357059", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 6, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8880 · HTTP	http	Scan de ports	Élevée	Moyen · 54
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_joomla Cible HTTP GET /joomla/ TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8880 Chemin / cible /joomla/ Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /joomla/ HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /joomla/ HTTP/1.1 Host: www.blacklistip.com:8880 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/201 Requête brute (extrait) GET /joomla/ HTTP/1.1 Host: www.blacklistip.com:8880 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "f922726fcf7d5491db1c9a99525af14a14b90777", "http_host_hash": "6f2c22ac9e61885d82ed7f07dd56e4791b76cc36", "http_target_hash": "23653b39d3e34e9d6a111f32099d797b974403f2", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 227, "payload_entropy": 5.311204544528872, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8880, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 54, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ff15d908b82e1bed090a504ec636191663917300", "event_fingerprint": "61c79699304d1a9c6085d8747bbeee14d234c601", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 54, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "8decf33b43f8c7a903f495f737bc4c5f", "payload_hash": "795f2bec620536f63519e426ecccd85d", "path_pattern_hash": "d9cc85416b877e65f034d906e5cba1fd" }, "target_context": { "dst_port": 8880, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/joomla\/ HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko\/201", "method": "GET", "path": "\/joomla\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko\/20100101 Firefox\/137.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/joomla\/ HTTP\/1.1", "request_sample": "GET \/joomla\/ HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko\/20100101 Firefox\/137.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/joomla\/ HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko\/201", "evidence": { "method": "GET", "path": "\/joomla\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko\/20100101 Firefox\/137.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/joomla\/ HTTP\/1.1", "request_sample": "GET \/joomla\/ HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko\/20100101 Firefox\/137.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/joomla\/ HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko\/201", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bedc4e0c1ddec0a3a773d5808ffaad2e6b802bc3", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8880" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 6, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_joomla", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8000 · SAP ICM	sap-icm	Scan de ports	Élevée	Moyen · 47
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF — Recommandation Surveiller Tags http_get_probe mozi_pattern net_sap_web_probe sap_icm_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8000 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Payload (extrait) GET /plugins/system/debug/debug.xml HTTP/1.1 Host: www.blacklistip.com:8000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x Requête brute (extrait) GET /plugins/system/debug/debug.xml HTTP/1.1 Host: www.blacklistip.com:8000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Firefox/58.0.1 Connection: close Accept: / Accept-Language: en Accept-Encoding: Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c", "emulator_response_len": 141, "bytes_in": 265, "payload_entropy": 5.361032334260668, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "sap-icm", "app_proto": "sap-icm", "asn": 402253, "country": "CH", "dst_port": 8000, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 48, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 2.1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 48, "novelty": 25 }, "risk_score": 47, "tag_count": 5, "anomaly_count": 0, "campaign_key": "f4d3bfae803bd07fc62331c16ac15c5323341684", "event_fingerprint": "40ac2e001fc92fc4c26729171b1b914e26c42c6a", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 48, "novelty": 25, "risk_score": 47, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "sap-icm", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "edcd2596e56fa9f8fcfb49a7a5f0a4b4", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 8000, "service": "sap-icm", "service_name": "sap-icm", "risk_score": 47 }, "payload_preview": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x", "request_sample": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Firefox\/58.0.1\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding:", "payload_snippet": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x", "evidence": { "request_sample": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Firefox\/58.0.1\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding:", "payload_snippet": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "db108ea1fb8c1cdc2f28b15cd5d5902c273df9f5", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_icm", "service_banner": "honeypot-sap-icm", "service_os": "linux", "dst_port": "8000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 6, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe", "mozi_pattern", "net_sap_web_probe", "sap_icm_emulated", "sap_icm_payload" ] }
07/06/2026 07:11:35 UTC	TCP	8086 · HTTP	http	Scan de ports	Élevée	Moyen · 62
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /administrator/language/en-GB/install.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8086 Chemin / cible /administrator/language/en-GB/install.xml Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) ET Joomla admin ES admin GET Probe /administrator/ ActiveMQ console Ligne de requête `GET /administrator/language/en-GB/install.xml HTTP/1.1` User-Agent Mozilla/5.0 (Fedora; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /administrator/language/en-GB/install.xml HTTP/1.1 Host: www.blacklistip.com:8086 User-Agent: Mozilla/5.0 (Fedora; Linux i Requête brute (extrait) GET /administrator/language/en-GB/install.xml HTTP/1.1 Host: www.blacklistip.com:8086 User-Agent: Mozilla/5.0 (Fedora; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36 Connection: close Accept: / Accept-Language: en Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a582d496e666c757864622d56657273696f6e3a20322e372e340d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2036370d0a0d0a7b226e616d65223a22686f6e6579706f742d696e666c7578222c226d6573", "emulator_response_len": 165, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 4, "http_path_ext": "xml", "http_ua_hash": "adaa6f63373f89398fff6cd15365e1c8e624b076", "http_host_hash": "6ab244efad12802dd83aef956fed419ab36d629f", "http_target_hash": "374e3f21b83ce39520690c8e734b70b1147798ba", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 282, "payload_entropy": 5.368724660930541, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8086, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 62, "tag_count": 8, "anomaly_count": 0, "campaign_key": "ad1a3a977d083ee45c81c96b775e5d46455ced84", "event_fingerprint": "1577250d70b01911a6a83b8118c6d9b30571eb44", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606" ], "matched_pattern_names": [ "ET Joomla admin", "ES admin GET", "Probe \/administrator\/", "ActiveMQ console" ], "pattern_ids": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c15232762c155f38088524cc45d92bef", "payload_hash": "a21a74f916cd2eeb9a16cb9238313a82", "path_pattern_hash": "99d77b392b5126ef091af0d5186e18e0" }, "target_context": { "dst_port": 8086, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Fedora; Linux i", "method": "GET", "path": "\/administrator\/language\/en-GB\/install.xml", "user_agent": "Mozilla\/5.0 (Fedora; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/142.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1", "request_sample": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Fedora; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/142.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r", "payload_snippet": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Fedora; Linux i", "evidence": { "method": "GET", "path": "\/administrator\/language\/en-GB\/install.xml", "user_agent": "Mozilla\/5.0 (Fedora; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/142.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1", "request_sample": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Fedora; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/142.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r", "payload_snippet": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Fedora; Linux i", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "22adbe7db860c6ab9f369563a328b1af6cad7d1d", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8086" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 6, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_admin_panel_probe", "http_admin_panel_scan", "http_probe_joomla", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8443 · HTTPS	https	Scan de ports	Élevée	Moyen · 48
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF — Recommandation Surveiller Tags http_alt_port http_get_probe mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) ES admin GET User-Agent — Règles WAF — Payload (extrait) GET /administrator/ HTTP/1.1 Host: www.blacklistip.com:8443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14) AppleWebKit Requête brute (extrait) GET /administrator/ HTTP/1.1 Host: www.blacklistip.com:8443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14) AppleWebKit/620.32 (KHTML, like Gecko) Version/17.1.10 Safari/620.32 Connection: close Accept: / Accept-Language: en Accept-Encoding: Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 265, "payload_entropy": 5.334432663973063, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "https", "app_proto": "https", "asn": 402253, "country": "CH", "dst_port": 8443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 3.5, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25 }, "risk_score": 48, "tag_count": 5, "anomaly_count": 0, "campaign_key": "e9424952509f02f1feff42205b83870ff8d40140", "event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0341" ], "matched_pattern_names": [ "ES admin GET" ], "pattern_ids": [ "pat-0341" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 48, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d5f4a48a2accc922f9a70fc362921009", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 8443, "service": "https", "service_name": "https", "risk_score": 48 }, "payload_preview": "GET \/administrator\/ HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14) AppleWebKit", "request_sample": "GET \/administrator\/ HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14) AppleWebKit\/620.32 (KHTML, like Gecko) Version\/17.1.10 Safari\/620.32\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding:", "payload_snippet": "GET \/administrator\/ HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14) AppleWebKit", "evidence": { "request_sample": "GET \/administrator\/ HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14) AppleWebKit\/620.32 (KHTML, like Gecko) Version\/17.1.10 Safari\/620.32\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding:", "payload_snippet": "GET \/administrator\/ HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14) AppleWebKit", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "09ae317a9e976e6bfea1eff20e079880c61ee6f5", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "8443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 6, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_web_probe", "tor_exit_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8080 · HTTP	http	Scan de ports	Élevée	Moyen · 54
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_web_probe Cible HTTP GET /modules/custom.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /modules/custom.xml Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /modules/custom.xml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /modules/custom.xml HTTP/1.1 Host: www.blacklistip.com:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWeb Requête brute (extrait) GET /modules/custom.xml HTTP/1.1 Host: www.blacklistip.com:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36 Connection: close Accept: / Accept-Language: en Accept-En Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "xml", "http_ua_hash": "630b47dae59883dc60dc52b9188fac829e167279", "http_host_hash": "3f64adb032f282a9da2d7027e8579434fd94567f", "http_target_hash": "632ece66dfb5ec5e21273c3861983a2ba62f07b7", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 272, "payload_entropy": 5.412158753520982, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8080, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f24aa19b861b9f57d88ee4561751cd3e6d0a2752", "event_fingerprint": "00e62a4dd8902cae44ee262f2e951f7343d1186b", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "9917f68c8e494cf5f0dc2dc18b43ad78", "payload_hash": "34240e0437fce5847cae34371c5698e6", "path_pattern_hash": "f5ab2d5346f34e0a620fba1ef488dca0" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWeb", "method": "GET", "path": "\/modules\/custom.xml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/94.0.4606.81 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/modules\/custom.xml HTTP\/1.1", "request_sample": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/94.0.4606.81 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-En", "payload_snippet": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWeb", "evidence": { "method": "GET", "path": "\/modules\/custom.xml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/94.0.4606.81 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/modules\/custom.xml HTTP\/1.1", "request_sample": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/94.0.4606.81 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-En", "payload_snippet": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWeb", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "58f4328b13314ff23426c88d8cab804eae46627b", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 6, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8880 · HTTP	http	Scan de ports	Élevée	Moyen · 45
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 12 Recommandation Surveiller Tags 950468:nosqli-3 950470:nosqli-3 http_admin_panel_probe http_admin_panel_scan Cible HTTP GET /administrator/ TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8880 Chemin / cible /administrator/ Pourquoi cette classification : Tags WAF: nosqli-3 · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) ET Joomla admin ES admin GET Probe /administrator/ ActiveMQ console Ligne de requête `GET /administrator/ HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Safari/605.1.15 Règles WAF nosqli-3 Payload (extrait) GET /administrator/ HTTP/1.1 Host: www.blacklistip.com:8880 User-Agent: Mozilla/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleW Requête brute (extrait) GET /administrator/ HTTP/1.1 Host: www.blacklistip.com:8880 User-Agent: Mozilla/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Safari/605.1.15 Connection: close Accept: / Accept-Language: en Accept-Enc Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "cd0c5baa3b618e12aace085813655dd326131d79", "http_host_hash": "6f2c22ac9e61885d82ed7f07dd56e4791b76cc36", "http_target_hash": "0f6d04d0a59f96b6ba5c15c3721804e572006f43", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 271, "payload_entropy": 5.311876992838714, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8880, "risk_waf": 56, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.3, "risk_breakdown": { "waf": 56, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 45, "tag_count": 6, "anomaly_count": 0, "campaign_key": "405398150976658bbed7d008f42a0bb3c86e4b14", "event_fingerprint": "5c4f7637f4e89f72fbcbd741a83b0b6efd1baf94", "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606" ], "matched_pattern_names": [ "ET Joomla admin", "ES admin GET", "Probe \/administrator\/", "ActiveMQ console" ], "pattern_ids": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606" ], "confidence_breakdown": { "waf": 56, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 45, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f6679d85bb2c925ee95ad3a6a11be0b3", "payload_hash": "6c2421c0ec071c9b309ac362e1f790ae", "path_pattern_hash": "cb8cd75c08bc9ba0c944ce837c38c33b" }, "target_context": { "dst_port": 8880, "service": "http", "service_name": "http", "risk_score": 45 }, "payload_preview": "GET \/administrator\/ HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleW", "method": "GET", "path": "\/administrator\/", "user_agent": "Mozilla\/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/18.3 Safari\/605.1.15", "waf_tags": [ "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/administrator\/ HTTP\/1.1", "request_sample": "GET \/administrator\/ HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/18.3 Safari\/605.1.15\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Enc", "payload_snippet": "GET \/administrator\/ HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleW", "evidence": { "method": "GET", "path": "\/administrator\/", "user_agent": "Mozilla\/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/18.3 Safari\/605.1.15", "waf_tags": [ "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/administrator\/ HTTP\/1.1", "request_sample": "GET \/administrator\/ HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/18.3 Safari\/605.1.15\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Enc", "payload_snippet": "GET \/administrator\/ HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleW", "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8a63b41c0c08fab3ce1da0002c1c611b0a364bd5", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8880" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 6, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_monitor", "tags_list": [ "950468:nosqli-3", "950470:nosqli-3", "http_admin_panel_probe", "http_admin_panel_scan", "http_probe_joomla", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8000 · SAP ICM	sap-icm	Scan de ports	Élevée	Moyen · 47
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF — Recommandation Surveiller Tags http_get_probe mozi_pattern net_sap_web_probe sap_icm_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8000 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Payload (extrait) GET /README.txt HTTP/1.1 Host: www.blacklistip.com:8000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:1.9.6.20) Gecko/ Firefo Requête brute (extrait) GET /README.txt HTTP/1.1 Host: www.blacklistip.com:8000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:1.9.6.20) Gecko/ Firefox/7.0 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c", "emulator_response_len": 141, "bytes_in": 213, "payload_entropy": 5.343461936347679, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "sap-icm", "app_proto": "sap-icm", "asn": 402253, "country": "CH", "dst_port": 8000, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 48, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 2.1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 48, "novelty": 25 }, "risk_score": 47, "tag_count": 5, "anomaly_count": 0, "campaign_key": "f4d3bfae803bd07fc62331c16ac15c5323341684", "event_fingerprint": "40ac2e001fc92fc4c26729171b1b914e26c42c6a", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 48, "novelty": 25, "risk_score": 47, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "sap-icm", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "aa056a9fa6bf5bee7244f0cae90e8094", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 8000, "service": "sap-icm", "service_name": "sap-icm", "risk_score": 47 }, "payload_preview": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:1.9.6.20) Gecko\/ Firefo", "request_sample": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:1.9.6.20) Gecko\/ Firefox\/7.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:1.9.6.20) Gecko\/ Firefo", "evidence": { "request_sample": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:1.9.6.20) Gecko\/ Firefox\/7.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:1.9.6.20) Gecko\/ Firefo", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "88a82e0ed30bd865efa5467e3254b34e3e8b1768", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_icm", "service_banner": "honeypot-sap-icm", "service_os": "linux", "dst_port": "8000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 6, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe", "mozi_pattern", "net_sap_web_probe", "sap_icm_emulated", "sap_icm_payload" ] }
07/06/2026 07:11:35 UTC	TCP	8888 · HTTP	http	Scan de ports	Élevée	Moyen · 50
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_web_probe Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8888 Chemin / cible / Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) HTTP alt 8888 probe Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (SS; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: www.blacklistip.com:8888 User-Agent: Mozilla/5.0 (SS; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Requête brute (extrait) GET / HTTP/1.1 Host: www.blacklistip.com:8888 User-Agent: Mozilla/5.0 (SS; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "84762a61f6a516559c1eb4bdb18480d8874ed291", "http_host_hash": "b22a9d6496fdf8cd57a772fe70fa6b428c1a78bb", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 238, "payload_entropy": 5.36204729145153, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8888, "risk_waf": 72, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 50, "tag_count": 4, "anomaly_count": 0, "campaign_key": "e11c1b827d438ca6f81f14ef35ff35f7c31ff992", "event_fingerprint": "d96673c00b57d970f6555d6dff66c77e09351a74", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0599" ], "matched_pattern_names": [ "HTTP alt 8888 probe" ], "pattern_ids": [ "pat-0599" ], "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 50, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "60e2d627316731bfe374d9e7a4822940", "payload_hash": "625662f05a17fed19161d17692032bcb", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8888, "service": "http", "service_name": "http", "risk_score": 50 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (SS; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) ", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (SS; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (SS; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (SS; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko)", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (SS; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (SS; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (SS; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko)", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "327458ddac960b88513d5cb3909da3291498abc5", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8888" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8086 · HTTP	http	Scan de ports	Élevée	Moyen · 57
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_admin_panel_probe Cible HTTP GET /administrator/manifests/files/joomla.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8086 Chemin / cible /administrator/manifests/files/joomla.xml Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) ET Joomla admin ES admin GET Probe /administrator/ ActiveMQ console Ligne de requête `GET /administrator/manifests/files/joomla.xml HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:1.9.6.20) Gecko/ Firefox/3.6.2 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /administrator/manifests/files/joomla.xml HTTP/1.1 Host: www.blacklistip.com:8086 User-Agent: Mozilla/5.0 (X11; Linux x86_ Requête brute (extrait) GET /administrator/manifests/files/joomla.xml HTTP/1.1 Host: www.blacklistip.com:8086 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:1.9.6.20) Gecko/ Firefox/3.6.2 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a582d496e666c757864622d56657273696f6e3a20322e372e340d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2036370d0a0d0a7b226e616d65223a22686f6e6579706f742d696e666c7578222c226d6573", "emulator_response_len": 165, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 4, "http_path_ext": "xml", "http_ua_hash": "aa40e6550c53ca2ea8481fae2389b5aa0290e276", "http_host_hash": "6ab244efad12802dd83aef956fed419ab36d629f", "http_target_hash": "c6fb3f903fa16273b39114aec8b3d25d6a09b2eb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 245, "payload_entropy": 5.309388396774236, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8086, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.6, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 57, "tag_count": 7, "anomaly_count": 0, "campaign_key": "3704da4d7cfd8766fbf43a70492d4afb8c77ad4e", "event_fingerprint": "4ccae5b169b17ec1c6b299d76d348dabcd51516e", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606" ], "matched_pattern_names": [ "ET Joomla admin", "ES admin GET", "Probe \/administrator\/", "ActiveMQ console" ], "pattern_ids": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 57, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "54c86f3afc5209cd2ce7db3cfaf6730b", "payload_hash": "4f750f2523fa5db0e6028c0414cb3b31", "path_pattern_hash": "c4f3d5811d6d989618ffc547885c6936" }, "target_context": { "dst_port": 8086, "service": "http", "service_name": "http", "risk_score": 57 }, "payload_preview": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_", "method": "GET", "path": "\/administrator\/manifests\/files\/joomla.xml", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:1.9.6.20) Gecko\/ Firefox\/3.6.2", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1", "request_sample": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:1.9.6.20) Gecko\/ Firefox\/3.6.2\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_", "evidence": { "method": "GET", "path": "\/administrator\/manifests\/files\/joomla.xml", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:1.9.6.20) Gecko\/ Firefox\/3.6.2", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1", "request_sample": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:1.9.6.20) Gecko\/ Firefox\/3.6.2\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6ecca2dac8a673d078cff622b7b499a1180bc5f7", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8086" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_admin_panel_probe", "http_admin_panel_scan", "http_probe_joomla", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8443 · HTTPS	https	Scan de ports	Élevée	Moyen · 48
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF — Recommandation Surveiller Tags http_alt_port http_get_probe mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) ES admin GET User-Agent — Règles WAF — Payload (extrait) GET /administrator/help/en-GB/toc.json HTTP/1.1 Host: www.blacklistip.com:8443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac O Requête brute (extrait) GET /administrator/help/en-GB/toc.json HTTP/1.1 Host: www.blacklistip.com:8443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1 Safari/605.1.15 Connection: close Accept: / Accept-Langu Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 290, "payload_entropy": 5.337927272004431, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "https", "app_proto": "https", "asn": 402253, "country": "CH", "dst_port": 8443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 3.5, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25 }, "risk_score": 48, "tag_count": 5, "anomaly_count": 0, "campaign_key": "e9424952509f02f1feff42205b83870ff8d40140", "event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0341" ], "matched_pattern_names": [ "ES admin GET" ], "pattern_ids": [ "pat-0341" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 48, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "053c67a46c8e66c3e0c92983dd7401a8", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 8443, "service": "https", "service_name": "https", "risk_score": 48 }, "payload_preview": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac O", "request_sample": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.1 Safari\/605.1.15\r\nConnection: close\r\nAccept: \/\r\nAccept-Langu", "payload_snippet": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac O", "evidence": { "request_sample": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.1 Safari\/605.1.15\r\nConnection: close\r\nAccept: \/\r\nAccept-Langu", "payload_snippet": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac O", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "aa40e6608d0f16c4acc86a74c718614f3c1f8e84", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "8443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_web_probe", "tor_exit_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8080 · HTTP	http	Scan de ports	Élevée	Moyen · 55
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_sensitive_path Cible HTTP GET /plugins/system/debug/debug.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /plugins/system/debug/debug.xml Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /plugins/system/debug/debug.xml HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 14) AppleWebKit/620.32 (KHTML, like Gecko) Version/17.1.10 Safari/620.32 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /plugins/system/debug/debug.xml HTTP/1.1 Host: www.blacklistip.com:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X Requête brute (extrait) GET /plugins/system/debug/debug.xml HTTP/1.1 Host: www.blacklistip.com:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14) AppleWebKit/620.32 (KHTML, like Gecko) Version/17.1.10 Safari/620.32 Connection: close Accept: / Accept-Language: en Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 4, "http_path_ext": "xml", "http_ua_hash": "55cdcd5f952d45d087f05df32826b52d92b95639", "http_host_hash": "3f64adb032f282a9da2d7027e8579434fd94567f", "http_target_hash": "72342f75eb3d267db2b9e94ef476febfa2c522cb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 281, "payload_entropy": 5.375798530256321, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8080, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 55, "tag_count": 5, "anomaly_count": 0, "campaign_key": "cbb8f1003d6c1fef55bba4d3b09f73530828be2a", "event_fingerprint": "aa8e227154851bd5af9a0637a986e3bac4420037", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 55, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "19530b1305d401275ec89a5e4825d8b9", "payload_hash": "804f102d8c9fc907f0edad15ddbc063f", "path_pattern_hash": "5827499d7e8d83e6835edd2eb5f2a61b" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X", "method": "GET", "path": "\/plugins\/system\/debug\/debug.xml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14) AppleWebKit\/620.32 (KHTML, like Gecko) Version\/17.1.10 Safari\/620.32", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1", "request_sample": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14) AppleWebKit\/620.32 (KHTML, like Gecko) Version\/17.1.10 Safari\/620.32\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\n", "payload_snippet": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X", "evidence": { "method": "GET", "path": "\/plugins\/system\/debug\/debug.xml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14) AppleWebKit\/620.32 (KHTML, like Gecko) Version\/17.1.10 Safari\/620.32", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1", "request_sample": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14) AppleWebKit\/620.32 (KHTML, like Gecko) Version\/17.1.10 Safari\/620.32\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\n", "payload_snippet": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5467a46e9f8d7142f4f94aa773244a2ddac2fb44", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8880 · HTTP	http	Scan de ports	Élevée	Moyen · 60
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /administrator/help/en-GB/toc.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8880 Chemin / cible /administrator/help/en-GB/toc.json Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) ET Joomla admin ES admin GET Probe /administrator/ ActiveMQ console Ligne de requête `GET /administrator/help/en-GB/toc.json HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 Version/15.1 Safari/605.1.15 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /administrator/help/en-GB/toc.json HTTP/1.1 Host: www.blacklistip.com:8880 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac O Requête brute (extrait) GET /administrator/help/en-GB/toc.json HTTP/1.1 Host: www.blacklistip.com:8880 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 Version/15.1 Safari/605.1.15 Connection: close Accept: / Accept-Language: en Accept-Enco Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 4, "http_path_ext": "json", "http_ua_hash": "d55075b56e817c92b275298267a57979433e720d", "http_host_hash": "6f2c22ac9e61885d82ed7f07dd56e4791b76cc36", "http_target_hash": "617481da6f5867560cd2fdf70cb848ef7749246d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 270, "payload_entropy": 5.26763342661809, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8880, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 60, "tag_count": 8, "anomaly_count": 0, "campaign_key": "7541e6abd3d6c2fe39f02ad720171d3f9b027868", "event_fingerprint": "24f75f93b612daa438e8adf884a76352ad4596cc", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606" ], "matched_pattern_names": [ "ET Joomla admin", "ES admin GET", "Probe \/administrator\/", "ActiveMQ console" ], "pattern_ids": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 60, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "614acd2b950ff44a252b9c364fc00cf7", "payload_hash": "434657c9b01906376b76c4b9a942b98f", "path_pattern_hash": "ffc23282dc35670d41d8f4e8dae550a1" }, "target_context": { "dst_port": 8880, "service": "http", "service_name": "http", "risk_score": 60 }, "payload_preview": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac O", "method": "GET", "path": "\/administrator\/help\/en-GB\/toc.json", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 Version\/15.1 Safari\/605.1.15", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1", "request_sample": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 Version\/15.1 Safari\/605.1.15\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Enco", "payload_snippet": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac O", "evidence": { "method": "GET", "path": "\/administrator\/help\/en-GB\/toc.json", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 Version\/15.1 Safari\/605.1.15", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1", "request_sample": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 Version\/15.1 Safari\/605.1.15\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Enco", "payload_snippet": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac O", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7e951ae3fb0e87a736d31a716038c7814865f9b1", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8880" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_admin_panel_probe", "http_admin_panel_scan", "http_probe_joomla", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8000 · SAP ICM	sap-icm	Scan de ports	Élevée	Moyen · 47
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF — Recommandation Surveiller Tags http_get_probe mozi_pattern net_sap_web_probe sap_icm_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8000 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 941130 User-Agent — Règles WAF — Payload (extrait) GET /favicon.ico HTTP/1.1 Host: www.blacklistip.com:8000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: www.blacklistip.com:8000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Connection: close Accept: text/html,application/xhtml+xml,app Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c", "emulator_response_len": 141, "bytes_in": 379, "payload_entropy": 5.477597606026673, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "sap-icm", "app_proto": "sap-icm", "asn": 402253, "country": "CH", "dst_port": 8000, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 48, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 2.1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 48, "novelty": 25 }, "risk_score": 47, "tag_count": 5, "anomaly_count": 0, "campaign_key": "f4d3bfae803bd07fc62331c16ac15c5323341684", "event_fingerprint": "40ac2e001fc92fc4c26729171b1b914e26c42c6a", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0284" ], "matched_pattern_names": [ "CRS 941130" ], "pattern_ids": [ "pat-0284" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 48, "novelty": 25, "risk_score": 47, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "sap-icm", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3b0df914bf132c7a0f3ba62979112f8b", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 8000, "service": "sap-icm", "service_name": "sap-icm", "risk_score": 47 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+xml,app", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "evidence": { "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+xml,app", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "682ba7608ca0d203c72de340cf3d4b3fb44a0d74", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_icm", "service_banner": "honeypot-sap-icm", "service_os": "linux", "dst_port": "8000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe", "mozi_pattern", "net_sap_web_probe", "sap_icm_emulated", "sap_icm_payload" ] }
07/06/2026 07:11:35 UTC	TCP	8888 · HTTP	http	Scan de ports	Élevée	Moyen · 55
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_joomla Cible HTTP GET /joomla/ TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8888 Chemin / cible /joomla/ Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) HTTP alt 8888 probe Ligne de requête `GET /joomla/ HTTP/1.1` User-Agent Mozilla/5.0 (ZZ; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /joomla/ HTTP/1.1 Host: www.blacklistip.com:8888 User-Agent: Mozilla/5.0 (ZZ; Linux x86_64) AppleWebKit/537.36 (KHTML, lik Requête brute (extrait) GET /joomla/ HTTP/1.1 Host: www.blacklistip.com:8888 User-Agent: Mozilla/5.0 (ZZ; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "e0556b2259432d8bb18d3bec5a5bebd388b38354", "http_host_hash": "b22a9d6496fdf8cd57a772fe70fa6b428c1a78bb", "http_target_hash": "23653b39d3e34e9d6a111f32099d797b974403f2", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 247, "payload_entropy": 5.415682287144092, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8888, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.3, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 55, "tag_count": 5, "anomaly_count": 0, "campaign_key": "93e1c370cbee38eed59c3a9fb84cf8cf8e113031", "event_fingerprint": "0ac92677c1ce115fa59828f668204fa8c62cfa2d", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0599" ], "matched_pattern_names": [ "HTTP alt 8888 probe" ], "pattern_ids": [ "pat-0599" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 55, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "92031a06e9a4ecdc55629abbde3f4d79", "payload_hash": "3d7ec0ea7da09d8acd118f9896dc9df5", "path_pattern_hash": "d9cc85416b877e65f034d906e5cba1fd" }, "target_context": { "dst_port": 8888, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/joomla\/ HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (ZZ; Linux x86_64) AppleWebKit\/537.36 (KHTML, lik", "method": "GET", "path": "\/joomla\/", "user_agent": "Mozilla\/5.0 (ZZ; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/131.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/joomla\/ HTTP\/1.1", "request_sample": "GET \/joomla\/ HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (ZZ; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/131.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/joomla\/ HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (ZZ; Linux x86_64) AppleWebKit\/537.36 (KHTML, lik", "evidence": { "method": "GET", "path": "\/joomla\/", "user_agent": "Mozilla\/5.0 (ZZ; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/131.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/joomla\/ HTTP\/1.1", "request_sample": "GET \/joomla\/ HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (ZZ; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/131.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/joomla\/ HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (ZZ; Linux x86_64) AppleWebKit\/537.36 (KHTML, lik", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a7e92875bf5b51a3d66e2ccc1f86f72e3a51f8b8", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8888" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_joomla", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8086 · HTTP	http	Scan de ports	Élevée	Moyen · 47
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /htaccess.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8086 Chemin / cible /htaccess.txt Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /htaccess.txt HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.2 Safari/605.1.15 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /htaccess.txt HTTP/1.1 Host: www.blacklistip.com:8086 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWeb Requête brute (extrait) GET /htaccess.txt HTTP/1.1 Host: www.blacklistip.com:8086 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.2 Safari/605.1.15 Connection: close Accept: / Accept-Language: en Accept-Enc Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a582d496e666c757864622d56657273696f6e3a20322e372e340d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2036370d0a0d0a7b226e616d65223a22686f6e6579706f742d696e666c7578222c226d6573", "emulator_response_len": 165, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "70438b46a8022266c2757bdf63a1d6ec0b87b9aa", "http_host_hash": "6ab244efad12802dd83aef956fed419ab36d629f", "http_target_hash": "bcac0ded0564d5a60b4bf8080877283a3eb8cb0f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 271, "payload_entropy": 5.311887064006987, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8086, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 47, "tag_count": 3, "anomaly_count": 0, "campaign_key": "ba7297ebbb265fdc848910cda0d09ed0eb083486", "event_fingerprint": "e471c84affae0bc0b0e6b560ec54f94b404cb427", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 47, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "af49b4d5684861f379a98b47c1c9d0fc", "payload_hash": "4c765ed84773b0bd6f8808e7d29973b0", "path_pattern_hash": "c9998214e9f1a3c7de61d98ecf85df84" }, "target_context": { "dst_port": 8086, "service": "http", "service_name": "http", "risk_score": 47 }, "payload_preview": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWeb", "method": "GET", "path": "\/htaccess.txt", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/14.1.2 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/htaccess.txt HTTP\/1.1", "request_sample": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/14.1.2 Safari\/605.1.15\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Enc", "payload_snippet": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWeb", "evidence": { "method": "GET", "path": "\/htaccess.txt", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/14.1.2 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/htaccess.txt HTTP\/1.1", "request_sample": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/14.1.2 Safari\/605.1.15\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Enc", "payload_snippet": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWeb", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a95afcc8ce2abf2fed427ca42600387cd07becab", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8086" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "behavior_alert_count": 1, "behavior_priority": 72 }
07/06/2026 07:11:35 UTC	TCP	8443 · HTTPS	https	Scan de ports	Élevée	Moyen · 48
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF — Recommandation Surveiller Tags http_alt_port http_get_probe mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) ES admin GET User-Agent — Règles WAF — Payload (extrait) GET /administrator/language/en-GB/install.xml HTTP/1.1 Host: www.blacklistip.com:8443 User-Agent: Mozilla/5.0 (Macintosh; U; P Requête brute (extrait) GET /administrator/language/en-GB/install.xml HTTP/1.1 Host: www.blacklistip.com:8443 User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_5_2; en) AppleWebKit/525.18 (KHTML, like Gecko) Version/3.1.1 Safari/525.18 Connection: close Accept: / Acce Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 298, "payload_entropy": 5.360396675261947, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "https", "app_proto": "https", "asn": 402253, "country": "CH", "dst_port": 8443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 3.5, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25 }, "risk_score": 48, "tag_count": 5, "anomaly_count": 0, "campaign_key": "e9424952509f02f1feff42205b83870ff8d40140", "event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0341" ], "matched_pattern_names": [ "ES admin GET" ], "pattern_ids": [ "pat-0341" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 48, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d0e4edc854ed3d17f9cacf3c90834dae", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 8443, "service": "https", "service_name": "https", "risk_score": 48 }, "payload_preview": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; P", "request_sample": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; PPC Mac OS X 10_5_2; en) AppleWebKit\/525.18 (KHTML, like Gecko) Version\/3.1.1 Safari\/525.18\r\nConnection: close\r\nAccept: \/\r\nAcce", "payload_snippet": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; P", "evidence": { "request_sample": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; PPC Mac OS X 10_5_2; en) AppleWebKit\/525.18 (KHTML, like Gecko) Version\/3.1.1 Safari\/525.18\r\nConnection: close\r\nAccept: \/\r\nAcce", "payload_snippet": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; P", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "952edaa2e54bc3d34320753b53378cf905ffc62f", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "8443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_web_probe", "tor_exit_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8080 · HTTP	http	Scan de ports	Élevée	Moyen · 46
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /README.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /README.txt Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /README.txt HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /README.txt HTTP/1.1 Host: www.blacklistip.com:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /README.txt HTTP/1.1 Host: www.blacklistip.com:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "940ef98c80932a8517b4241839e8e9d3b1f40c6b", "http_host_hash": "3f64adb032f282a9da2d7027e8579434fd94567f", "http_target_hash": "ab9489e2835a4c90f6af65db2a350e9fbed45704", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 251, "payload_entropy": 5.45346013017851, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8080, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 46, "tag_count": 3, "anomaly_count": 0, "campaign_key": "57f088a40ee12788bdcf96d0d3ffc1707c32a99e", "event_fingerprint": "9d0e1706c313eba6c3b3c1a95865c95c767b6790", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 46, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ac8f5c88a83e672485247380c0afada5", "payload_hash": "4d8e1b38896522ed11a4cf958c2ba969", "path_pattern_hash": "f1da2ac495442188b42e61002c12ea20" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 46 }, "payload_preview": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "method": "GET", "path": "\/README.txt", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/126.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/README.txt HTTP\/1.1", "request_sample": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/126.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/README.txt", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/126.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/README.txt HTTP\/1.1", "request_sample": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/126.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8987b3a73b8ee1ff60e50c30655c7499c2c06efe", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8880 · HTTP	http	Scan de ports	Élevée	Moyen · 60
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /administrator/language/en-GB/install.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8880 Chemin / cible /administrator/language/en-GB/install.xml Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) ET Joomla admin ES admin GET Probe /administrator/ ActiveMQ console Ligne de requête `GET /administrator/language/en-GB/install.xml HTTP/1.1` User-Agent Mozilla/5.0 (ZZ; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /administrator/language/en-GB/install.xml HTTP/1.1 Host: www.blacklistip.com:8880 User-Agent: Mozilla/5.0 (ZZ; Linux i686) Requête brute (extrait) GET /administrator/language/en-GB/install.xml HTTP/1.1 Host: www.blacklistip.com:8880 User-Agent: Mozilla/5.0 (ZZ; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Connection: close Accept: / Accept-Language: en Acc Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 4, "http_path_ext": "xml", "http_ua_hash": "9745fc7283f41e5e4fd1f54f3f7a2ca981b25a49", "http_host_hash": "6f2c22ac9e61885d82ed7f07dd56e4791b76cc36", "http_target_hash": "374e3f21b83ce39520690c8e734b70b1147798ba", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 278, "payload_entropy": 5.368307691073172, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8880, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 60, "tag_count": 8, "anomaly_count": 0, "campaign_key": "7541e6abd3d6c2fe39f02ad720171d3f9b027868", "event_fingerprint": "236232c7364fcb0e4ba93c98e3a756fde6362849", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606" ], "matched_pattern_names": [ "ET Joomla admin", "ES admin GET", "Probe \/administrator\/", "ActiveMQ console" ], "pattern_ids": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 60, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "deceaca8aa7e0b4cfbd999b3bc5b620c", "payload_hash": "c1c87bd44f234620e7fab99fcf219c4f", "path_pattern_hash": "99d77b392b5126ef091af0d5186e18e0" }, "target_context": { "dst_port": 8880, "service": "http", "service_name": "http", "risk_score": 60 }, "payload_preview": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (ZZ; Linux i686)", "method": "GET", "path": "\/administrator\/language\/en-GB\/install.xml", "user_agent": "Mozilla\/5.0 (ZZ; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/132.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1", "request_sample": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (ZZ; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/132.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAcc", "payload_snippet": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (ZZ; Linux i686)", "evidence": { "method": "GET", "path": "\/administrator\/language\/en-GB\/install.xml", "user_agent": "Mozilla\/5.0 (ZZ; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/132.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1", "request_sample": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (ZZ; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/132.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAcc", "payload_snippet": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (ZZ; Linux i686)", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e7214582c57da48fc792e426c2134ab40ba92fa9", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8880" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_admin_panel_probe", "http_admin_panel_scan", "http_probe_joomla", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8000 · SAP ICM	sap-icm	Scan de ports	Élevée	Moyen · 47
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF — Recommandation Surveiller Tags http_get_probe mozi_pattern net_sap_web_probe sap_icm_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8000 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 941130 User-Agent — Règles WAF — Payload (extrait) GET /images/favicon.ico HTTP/1.1 Host: www.blacklistip.com:8000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap Requête brute (extrait) GET /images/favicon.ico HTTP/1.1 Host: www.blacklistip.com:8000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Connection: close Accept: text/html,application/xhtml+ Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c", "emulator_response_len": 141, "bytes_in": 386, "payload_entropy": 5.468809051518781, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "sap-icm", "app_proto": "sap-icm", "asn": 402253, "country": "CH", "dst_port": 8000, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 48, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 2.1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 48, "novelty": 25 }, "risk_score": 47, "tag_count": 5, "anomaly_count": 0, "campaign_key": "f4d3bfae803bd07fc62331c16ac15c5323341684", "event_fingerprint": "40ac2e001fc92fc4c26729171b1b914e26c42c6a", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0284" ], "matched_pattern_names": [ "CRS 941130" ], "pattern_ids": [ "pat-0284" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 48, "novelty": 25, "risk_score": 47, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "sap-icm", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "cd3e42a006c493c69f876ef8675d1bb0", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 8000, "service": "sap-icm", "service_name": "sap-icm", "risk_score": 47 }, "payload_preview": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "request_sample": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+", "payload_snippet": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "evidence": { "request_sample": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+", "payload_snippet": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "296f2616359ba6642ec62fa83bbdb58f5b872348", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_icm", "service_banner": "honeypot-sap-icm", "service_os": "linux", "dst_port": "8000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe", "mozi_pattern", "net_sap_web_probe", "sap_icm_emulated", "sap_icm_payload" ] }
07/06/2026 07:11:35 UTC	TCP	8888 · HTTP	http	Scan de ports	Élevée	Moyen · 56
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_admin_panel_probe Cible HTTP GET /administrator/ TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8888 Chemin / cible /administrator/ Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) ET Joomla admin ES admin GET Probe /administrator/ ActiveMQ console HTTP alt 8888 probe Ligne de requête `GET /administrator/ HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:78.0) Gecko/20100101 Firefox/78.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /administrator/ HTTP/1.1 Host: www.blacklistip.com:8888 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:78.0) Requête brute (extrait) GET /administrator/ HTTP/1.1 Host: www.blacklistip.com:8888 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:78.0) Gecko/20100101 Firefox/78.0 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "5db03e7d0e33d6cfba9108835e3379a2143eafa5", "http_host_hash": "b22a9d6496fdf8cd57a772fe70fa6b428c1a78bb", "http_target_hash": "0f6d04d0a59f96b6ba5c15c3721804e572006f43", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 236, "payload_entropy": 5.234119801888293, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8888, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 56, "tag_count": 7, "anomaly_count": 0, "campaign_key": "6ef011c3e2ab7d78a3a1e2daf851e6791fbf1a50", "event_fingerprint": "633552b2fb97e20efad6fc6c54ddf4162af226b6", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606", "pat-0599" ], "matched_pattern_names": [ "ET Joomla admin", "ES admin GET", "Probe \/administrator\/", "ActiveMQ console", "HTTP alt 8888 probe" ], "pattern_ids": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606", "pat-0599" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 56, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "29ac2baa0944c314390b1d29ad0ee4d8", "payload_hash": "5916e21a2c99e75593d92e91a19e2812", "path_pattern_hash": "cb8cd75c08bc9ba0c944ce837c38c33b" }, "target_context": { "dst_port": 8888, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/administrator\/ HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.10; rv:78.0)", "method": "GET", "path": "\/administrator\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.10; rv:78.0) Gecko\/20100101 Firefox\/78.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/ HTTP\/1.1", "request_sample": "GET \/administrator\/ HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.10; rv:78.0) Gecko\/20100101 Firefox\/78.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/administrator\/ HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.10; rv:78.0)", "evidence": { "method": "GET", "path": "\/administrator\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.10; rv:78.0) Gecko\/20100101 Firefox\/78.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/ HTTP\/1.1", "request_sample": "GET \/administrator\/ HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.10; rv:78.0) Gecko\/20100101 Firefox\/78.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/administrator\/ HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.10; rv:78.0)", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7a74d46fcfd8aefc83e5944af377784153063724", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8888" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_admin_panel_probe", "http_admin_panel_scan", "http_probe_joomla", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8086 · HTTP	http	Scan de ports	Élevée	Moyen · 47
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /joomla.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8086 Chemin / cible /joomla.xml Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /joomla.xml HTTP/1.1` User-Agent Mozilla/5.0 (CentOS; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /joomla.xml HTTP/1.1 Host: www.blacklistip.com:8086 User-Agent: Mozilla/5.0 (CentOS; Linux x86_64) AppleWebKit/537.36 (KHT Requête brute (extrait) GET /joomla.xml HTTP/1.1 Host: www.blacklistip.com:8086 User-Agent: Mozilla/5.0 (CentOS; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a582d496e666c757864622d56657273696f6e3a20322e372e340d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2036370d0a0d0a7b226e616d65223a22686f6e6579706f742d696e666c7578222c226d6573", "emulator_response_len": 165, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "xml", "http_ua_hash": "c569c9eea9a95b805dfb11100bbae3ea43accbed", "http_host_hash": "6ab244efad12802dd83aef956fed419ab36d629f", "http_target_hash": "b5d12a1bd786a4e8ded40b52d9812a90023251c0", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 254, "payload_entropy": 5.426330668523243, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8086, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 47, "tag_count": 3, "anomaly_count": 0, "campaign_key": "ba7297ebbb265fdc848910cda0d09ed0eb083486", "event_fingerprint": "650bb0ebc60f69ffc9eea8df1904325e474bf0e2", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 47, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "85c277fdc85782920e28a8794d7002bd", "payload_hash": "89e7e1ac2576bf924782f75b3d870da4", "path_pattern_hash": "37b7494e384a970799b9ec3c4b123d60" }, "target_context": { "dst_port": 8086, "service": "http", "service_name": "http", "risk_score": 47 }, "payload_preview": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (CentOS; Linux x86_64) AppleWebKit\/537.36 (KHT", "method": "GET", "path": "\/joomla.xml", "user_agent": "Mozilla\/5.0 (CentOS; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/132.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/joomla.xml HTTP\/1.1", "request_sample": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (CentOS; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/132.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (CentOS; Linux x86_64) AppleWebKit\/537.36 (KHT", "evidence": { "method": "GET", "path": "\/joomla.xml", "user_agent": "Mozilla\/5.0 (CentOS; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/132.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/joomla.xml HTTP\/1.1", "request_sample": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (CentOS; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/132.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (CentOS; Linux x86_64) AppleWebKit\/537.36 (KHT", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "08298cbb60f20a9b2acd1c126d7dc3132f80f6a4", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8086" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8443 · HTTPS	https	Scan de ports	Élevée	Moyen · 48
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF — Recommandation Surveiller Tags http_alt_port http_get_probe mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) ES admin GET User-Agent — Règles WAF — Payload (extrait) GET /administrator/manifests/files/joomla.xml HTTP/1.1 Host: www.blacklistip.com:8443 User-Agent: Mozilla/5.0 (Macintosh; Inte Requête brute (extrait) GET /administrator/manifests/files/joomla.xml HTTP/1.1 Host: www.blacklistip.com:8443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.3 Connection: close Accept: / Accept-Language: en Accept-Encoding: Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 264, "payload_entropy": 5.286939527128316, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "https", "app_proto": "https", "asn": 402253, "country": "CH", "dst_port": 8443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 3.5, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25 }, "risk_score": 48, "tag_count": 5, "anomaly_count": 0, "campaign_key": "e9424952509f02f1feff42205b83870ff8d40140", "event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0341" ], "matched_pattern_names": [ "ES admin GET" ], "pattern_ids": [ "pat-0341" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 48, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "92307cf693bc0ada4c32948fde55899e", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 8443, "service": "https", "service_name": "https", "risk_score": 48 }, "payload_preview": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Inte", "request_sample": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko\/20100101 Firefox\/128.3\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: ", "payload_snippet": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Inte", "evidence": { "request_sample": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko\/20100101 Firefox\/128.3\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: ", "payload_snippet": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Inte", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "294a8707a6b8c70f229223b128a8d0f843938a30", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "8443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_web_probe", "tor_exit_probe" ], "behavior_alert_count": 1, "behavior_priority": 84 }
07/06/2026 07:11:35 UTC	TCP	8080 · HTTP	http	Scan de ports	Élevée	Moyen · 46
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /favicon.ico Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 941130 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /favicon.ico HTTP/1.1 Host: www.blacklistip.com:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: www.blacklistip.com:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Connection: close Accept: text/html,application/xhtml+xml,app Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "009708ab8b415efb3877101f8f03a9c41d918a5b", "http_host_hash": "3f64adb032f282a9da2d7027e8579434fd94567f", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 379, "payload_entropy": 5.482279499195056, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8080, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 46, "tag_count": 3, "anomaly_count": 0, "campaign_key": "57f088a40ee12788bdcf96d0d3ffc1707c32a99e", "event_fingerprint": "f0c7540ae94dd06ee97286c4e47f9e7d5346b40e", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0284" ], "matched_pattern_names": [ "CRS 941130" ], "pattern_ids": [ "pat-0284" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 46, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0e0a16705ffce731cc88304d238f489d", "payload_hash": "c99fbad34d1257f4e58b7adc85c9f463", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 46 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+xml,app", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+xml,app", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ac6bccd8f9c70564bce04464749a7b353153f5ae", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8880 · HTTP	http	Scan de ports	Élevée	Moyen · 55
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_admin_panel_probe Cible HTTP GET /administrator/manifests/files/joomla.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8880 Chemin / cible /administrator/manifests/files/joomla.xml Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) ET Joomla admin ES admin GET Probe /administrator/ ActiveMQ console Ligne de requête `GET /administrator/manifests/files/joomla.xml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /administrator/manifests/files/joomla.xml HTTP/1.1 Host: www.blacklistip.com:8880 User-Agent: Mozilla/5.0 (Windows NT 10.0 Requête brute (extrait) GET /administrator/manifests/files/joomla.xml HTTP/1.1 Host: www.blacklistip.com:8880 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 4, "http_path_ext": "xml", "http_ua_hash": "d4b60f5a62500ab560bb8b05086fea6409bb27ac", "http_host_hash": "6f2c22ac9e61885d82ed7f07dd56e4791b76cc36", "http_target_hash": "c6fb3f903fa16273b39114aec8b3d25d6a09b2eb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 260, "payload_entropy": 5.293228446253799, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8880, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 55, "tag_count": 7, "anomaly_count": 0, "campaign_key": "299e4c348f8697f1a150f1b9a61ea97b50c49144", "event_fingerprint": "7e8058f64a198fc5c0baef0c9fbdc0821d468682", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606" ], "matched_pattern_names": [ "ET Joomla admin", "ES admin GET", "Probe \/administrator\/", "ActiveMQ console" ], "pattern_ids": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 55, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6852598b3e6aad42b5004bcc7e29b78e", "payload_hash": "54170b0bfd2de3343175a5b120bcf832", "path_pattern_hash": "c4f3d5811d6d989618ffc547885c6936" }, "target_context": { "dst_port": 8880, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0", "method": "GET", "path": "\/administrator\/manifests\/files\/joomla.xml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko\/20100101 Firefox\/127.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1", "request_sample": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko\/20100101 Firefox\/127.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip", "payload_snippet": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0", "evidence": { "method": "GET", "path": "\/administrator\/manifests\/files\/joomla.xml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko\/20100101 Firefox\/127.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1", "request_sample": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko\/20100101 Firefox\/127.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip", "payload_snippet": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6860e9bbdcd842dcc8932f8165289331a4ec4cd5", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8880" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_admin_panel_probe", "http_admin_panel_scan", "http_probe_joomla", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8000 · SAP ICM	sap-icm	Scan de ports	Élevée	Moyen · 47
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF — Recommandation Surveiller Tags http_get_probe mozi_pattern net_sap_web_probe sap_icm_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8000 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 941130 User-Agent — Règles WAF — Payload (extrait) GET /assets/favicon.ico HTTP/1.1 Host: www.blacklistip.com:8000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap Requête brute (extrait) GET /assets/favicon.ico HTTP/1.1 Host: www.blacklistip.com:8000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Connection: close Accept: text/html,application/xhtml+ Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c", "emulator_response_len": 141, "bytes_in": 386, "payload_entropy": 5.470489403941187, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "sap-icm", "app_proto": "sap-icm", "asn": 402253, "country": "CH", "dst_port": 8000, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 48, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 2.1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 48, "novelty": 25 }, "risk_score": 47, "tag_count": 5, "anomaly_count": 0, "campaign_key": "f4d3bfae803bd07fc62331c16ac15c5323341684", "event_fingerprint": "40ac2e001fc92fc4c26729171b1b914e26c42c6a", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0284" ], "matched_pattern_names": [ "CRS 941130" ], "pattern_ids": [ "pat-0284" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 48, "novelty": 25, "risk_score": 47, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "sap-icm", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b76a47a4caa215a463d3bfda5be1ae7e", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 8000, "service": "sap-icm", "service_name": "sap-icm", "risk_score": 47 }, "payload_preview": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "request_sample": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+", "payload_snippet": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "evidence": { "request_sample": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+", "payload_snippet": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "cd5faa74f014fd8a33b2a58228abab0c212617ee", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_icm", "service_banner": "honeypot-sap-icm", "service_os": "linux", "dst_port": "8000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe", "mozi_pattern", "net_sap_web_probe", "sap_icm_emulated", "sap_icm_payload" ] }
07/06/2026 07:11:35 UTC	TCP	8888 · HTTP	http	Scan de ports	Élevée	Moyen · 62
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /administrator/help/en-GB/toc.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8888 Chemin / cible /administrator/help/en-GB/toc.json Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) ET Joomla admin ES admin GET Probe /administrator/ ActiveMQ console HTTP alt 8888 probe Ligne de requête `GET /administrator/help/en-GB/toc.json HTTP/1.1` User-Agent Mozilla/5.0 (Knoppix; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /administrator/help/en-GB/toc.json HTTP/1.1 Host: www.blacklistip.com:8888 User-Agent: Mozilla/5.0 (Knoppix; Linux i686) A Requête brute (extrait) GET /administrator/help/en-GB/toc.json HTTP/1.1 Host: www.blacklistip.com:8888 User-Agent: Mozilla/5.0 (Knoppix; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Connection: close Accept: / Accept-Language: en Accep Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 4, "http_path_ext": "json", "http_ua_hash": "df50b6b71ef74068ebcd951d6fcfaa08876c2e74", "http_host_hash": "b22a9d6496fdf8cd57a772fe70fa6b428c1a78bb", "http_target_hash": "617481da6f5867560cd2fdf70cb848ef7749246d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 276, "payload_entropy": 5.345038367106169, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8888, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.3, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 62, "tag_count": 8, "anomaly_count": 0, "campaign_key": "fb376f98f5956eb4e53250f8876febe29766bee8", "event_fingerprint": "583d543a79ea0dd58fb4c9495337b7c998fd59b4", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606", "pat-0599" ], "matched_pattern_names": [ "ET Joomla admin", "ES admin GET", "Probe \/administrator\/", "ActiveMQ console", "HTTP alt 8888 probe" ], "pattern_ids": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606", "pat-0599" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "8dd3149b21680154982a35ba14ff7da1", "payload_hash": "d5f12b8ef82771556927207cbdc7823e", "path_pattern_hash": "ffc23282dc35670d41d8f4e8dae550a1" }, "target_context": { "dst_port": 8888, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Knoppix; Linux i686) A", "method": "GET", "path": "\/administrator\/help\/en-GB\/toc.json", "user_agent": "Mozilla\/5.0 (Knoppix; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1", "request_sample": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Knoppix; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccep", "payload_snippet": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Knoppix; Linux i686) A", "evidence": { "method": "GET", "path": "\/administrator\/help\/en-GB\/toc.json", "user_agent": "Mozilla\/5.0 (Knoppix; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1", "request_sample": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Knoppix; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccep", "payload_snippet": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Knoppix; Linux i686) A", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6ced99498ffde64b6f8c1c0eefac959d2e4fe017", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8888" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_admin_panel_probe", "http_admin_panel_scan", "http_probe_joomla", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8086 · HTTP	http	Scan de ports	Élevée	Moyen · 61
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /language/en-GB/en-GB.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8086 Chemin / cible /language/en-GB/en-GB.xml Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /language/en-GB/en-GB.xml HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:140.0) Gecko/20100101 Firefox/140.0 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /language/en-GB/en-GB.xml HTTP/1.1 Host: www.blacklistip.com:8086 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11 Requête brute (extrait) GET /language/en-GB/en-GB.xml HTTP/1.1 Host: www.blacklistip.com:8086 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:140.0) Gecko/20100101 Firefox/140.0 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a582d496e666c757864622d56657273696f6e3a20322e372e340d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2036370d0a0d0a7b226e616d65223a22686f6e6579706f742d696e666c7578222c226d6573", "emulator_response_len": 165, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "xml", "http_ua_hash": "af9016a08a3716e00bfd3d25140e4cbcdd814b0c", "http_host_hash": "6ab244efad12802dd83aef956fed419ab36d629f", "http_target_hash": "f6e3ce41a1739f6e53ae9c792dd8feb5eae9a9a7", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 248, "payload_entropy": 5.260565249571836, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8086, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25 }, "risk_score": 61, "tag_count": 5, "anomaly_count": 0, "campaign_key": "cc714022c20b7d5a505b1a2a0ff96fbbd5ea4d20", "event_fingerprint": "517ee1db4fa443a6eb3e89ae2c2215d7ebe1fd75", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 61, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "2cb4ec33d4a4a5fe7f31967ebbecbe48", "payload_hash": "3ee0a37b61d9da80ca516fa00f4f1b86", "path_pattern_hash": "99879359e0ccef25e57e05c0e6f11487" }, "target_context": { "dst_port": 8086, "service": "http", "service_name": "http", "risk_score": 61 }, "payload_preview": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.11", "method": "GET", "path": "\/language\/en-GB\/en-GB.xml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.11; rv:140.0) Gecko\/20100101 Firefox\/140.0", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1", "request_sample": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.11; rv:140.0) Gecko\/20100101 Firefox\/140.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.11", "evidence": { "method": "GET", "path": "\/language\/en-GB\/en-GB.xml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.11; rv:140.0) Gecko\/20100101 Firefox\/140.0", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1", "request_sample": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.11; rv:140.0) Gecko\/20100101 Firefox\/140.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.11", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "df221325b6d67bb65fd7e1a6a34b732f5cd6001e", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8086" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ], "behavior_alert_count": 1, "behavior_priority": 72 }

209.99.187.19

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence