|
|
TCP |
444 · HTTP
|
http
|
Traversal LFI
lfi path traversal · via HTTP:444 · (tentative d'exploit)
|
Élevée
|
Moyen · 56
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
30
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
444
Chemin / cible
/
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%
Confiance classification
59%
Risque capteur
Moyen
· 56
Confiance : Confiance 59 % — 5 tag(s) WAF
Signaux
CRS-930100-sub
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:444
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Accept: */*
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:444 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: */* Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "96bd0f703b966543acff1c39b6284d0525249c56",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 172,
"payload_entropy": 5.187951222285803,
"port_category": "well_known",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 444,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3.4,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 56,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "1edf9e0fb86c007d0cdc781f6158e48656170fe1",
"event_fingerprint": "bb847d726f83193132f212cf0c6e0dfb91731646",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.59,
"classification_confidence": 0.59,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 56
},
"named_classification_skipped": false,
"classification_parent": "path_traversal",
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "25749b344a8abfa6944656369205e18e",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 444,
"service": "http",
"service_name": "http",
"risk_score": 56
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:444\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\n",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:444\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:444\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:444\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:444\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6b5d080fafff450b97ec222d0156ed2191fb36a6",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 444,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:444\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"attack_vector": "lfi path traversal \u00b7 via HTTP:444 \u00b7 (tentative d'exploit)",
"target_port_label": "444 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP",
"confidence_pct": 59,
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 56
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 56,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 444,
"protocol_emulated": null,
"tags_summary": [
"CRS-930100-sub"
],
"tags_summary_labels_fr": [
"CRS-930100-sub"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 444,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "lfi path traversal \u00b7 via HTTP:444 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:444\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"target_port_label": "444 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "444"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
6036 · HTTP
|
http
|
Traversal LFI
lfi path traversal · via HTTP:6036 · (tentative d'exploit)
|
Élevée
|
Moyen · 58
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
30
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
6036
Chemin / cible
/
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%
Confiance classification
59%
Risque capteur
Moyen
· 58
Confiance : Confiance 59 % — 5 tag(s) WAF
Signaux
CRS-930100-sub
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:6036
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Accept: */*
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:6036 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: */* Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "82a6722eca469b5640d07c5a48e1bdc67c7abb4b",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 173,
"payload_entropy": 5.171737172311436,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 6036,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5.3,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 58,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "5e4d6f71a05c89fac5b48dbb2b30f7f31ef78242",
"event_fingerprint": "a492bb442d2cbb6303fd89bfbfb03be1d2632080",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.59,
"classification_confidence": 0.59,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 58
},
"named_classification_skipped": false,
"classification_parent": "path_traversal",
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "7a6dc06ac72601e32d3c3ddcb8c036f9",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 6036,
"service": "http",
"service_name": "http",
"risk_score": 58
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6036\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6036\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6036\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6036\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6036\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "1d98c216be61ca6e749d9485f04b44848a407a90",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 6036,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6036\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"attack_vector": "lfi path traversal \u00b7 via HTTP:6036 \u00b7 (tentative d'exploit)",
"target_port_label": "6036 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP",
"confidence_pct": 59,
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 58
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 58,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 6036,
"protocol_emulated": null,
"tags_summary": [
"CRS-930100-sub"
],
"tags_summary_labels_fr": [
"CRS-930100-sub"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 6036,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "lfi path traversal \u00b7 via HTTP:6036 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6036\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"target_port_label": "6036 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "6036"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
1217 · HTTP
|
http
|
Traversal LFI
lfi path traversal · via HTTP:1217 · (tentative d'exploit)
|
Élevée
|
Moyen · 56
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
30
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
1217
Chemin / cible
/
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%
Confiance classification
59%
Risque capteur
Moyen
· 56
Confiance : Confiance 59 % — 5 tag(s) WAF
Signaux
CRS-930100-sub
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:1217
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Accept: */*
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:1217 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: */* Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "1c82f14099764f9029be51e7e764cae83093ac2f",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 173,
"payload_entropy": 5.185554279395616,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 1217,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 56,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "ebf478508d6916efa92126f82a89fd3e37057318",
"event_fingerprint": "a7f1216fe5f82d920869d5e23fda6701f227d2a4",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.59,
"classification_confidence": 0.59,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 56
},
"named_classification_skipped": false,
"classification_parent": "path_traversal",
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "1fc63bb453056635919a80e365e8e05b",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 1217,
"service": "http",
"service_name": "http",
"risk_score": 56
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1217\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1217\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1217\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1217\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1217\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "590e33b895a5056142dfa055ba3df26622516b7c",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 1217,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1217\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"attack_vector": "lfi path traversal \u00b7 via HTTP:1217 \u00b7 (tentative d'exploit)",
"target_port_label": "1217 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP",
"confidence_pct": 59,
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 56
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 56,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 1217,
"protocol_emulated": null,
"tags_summary": [
"CRS-930100-sub"
],
"tags_summary_labels_fr": [
"CRS-930100-sub"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 1217,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "lfi path traversal \u00b7 via HTTP:1217 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1217\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"target_port_label": "1217 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "1217"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"behavior_alert_count": 2,
"behavior_priority": 84
}
|
|
|
TCP |
500 · HTTP
|
http
|
Sonde HTTP smuggling
http smuggling probe · via HTTP:500 · (tentative d'exploit) · → /mcp
|
Élevée
|
Moyen · 60
|
|
Étape
Tentative d'exploit
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan coordonné
MITRE
TA0001
TA0001
TA0002
Protocole
POST /mcp UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
34
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950383:rce-14
950406:ssrf-3
Cible HTTP
POST
/mcp
TLS SNI
—
Capteur
paris-1
|
Méthode
POST
Port
500
Chemin / cible
/mcp
Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95%
Confiance classification
100%
Corrélation +10
Risque capteur
Moyen
· 60
Confiance : Confiance 95 % — Motif catalogue confirmé · 5 tag(s) WAF
Signaux
pat-0842
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 921130 duplicate CL
LFI Double-dot bypass
Ligne de requête
POST /mcp HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
rce-14
ssrf-3
nosqli-3
Payload (extrait)
POST /mcp HTTP/1.1
Host: 62.3.50.33:500
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Content-L
Requête brute (extrait)
POST /mcp HTTP/1.1 Host: 62.3.50.33:500 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Length: 151 Accept: application/json, text/event-stream Connection: close Content-Type: application/json Mcp-Protocol-Version
Meta JSON brut
{
"http_header_count": 8,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "bdf99e699f1c4e2e2695d8cdc97bc098e338cd8b",
"http_target_hash": "b6dd5207698ea0722ea3c46de82524f56e66f110",
"http_referer_hash": null,
"http_method": "POST",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 446,
"payload_entropy": 5.1908240415176845,
"port_category": "well_known",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 500,
"risk_waf": 100,
"risk_classification": 85,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 2.4,
"risk_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 60,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "47216c11f4021bdfa3231d3515df7cb34837ab8c",
"event_fingerprint": "789e81ea00eb13bb4aff2f6c4d8efbc051adc926",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 84,
"precision_signals": [
"pat-0842"
],
"kb_rule_ids": [
"pat-0842"
],
"matched_patterns": [
"pat-0842",
"pat-0103"
],
"matched_pattern_names": [
"CRS 921130 duplicate CL",
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0842",
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 60,
"correlation_boost": 10
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "f1bd7f95b6bed81a837c8cad188710e6",
"path_pattern_hash": "88fe637beab867e285c088d60d6cc3b3"
},
"target_context": {
"dst_port": 500,
"service": "http",
"service_name": "http",
"risk_score": 60
},
"payload_preview": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:500\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-L",
"method": "POST",
"path": "\/mcp",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"rce-14",
"ssrf-3",
"nosqli-3"
],
"request_line": "POST \/mcp HTTP\/1.1",
"request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:500\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Version",
"payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:500\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-L",
"evidence": {
"method": "POST",
"path": "\/mcp",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"rce-14",
"ssrf-3",
"nosqli-3"
],
"request_line": "POST \/mcp HTTP\/1.1",
"request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:500\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Version",
"payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:500\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-L",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"web_injection"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8b9c0e1133a2c461f0f22f7abbaed02d98345cf8",
"protocol_details": {
"http_method": "POST",
"http_path": "\/mcp",
"request_line": "POST \/mcp HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 500,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:500\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-L",
"attack_vector": "http smuggling probe \u00b7 via HTTP:500 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp",
"target_port_label": "500 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne \/24 (213.166.84.0\/24)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 60,
"correlation_boost": 10
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 60,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 500,
"protocol_emulated": null,
"tags_summary": [
"pat-0842"
],
"tags_summary_labels_fr": [
"pat-0842"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_coordonn\u00e9"
],
"correlation_flags_labels_fr": [
"Scan coordonn\u00e9"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +10",
"protocol_details": {
"http_method": "POST",
"http_path": "\/mcp",
"request_line": "POST \/mcp HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 500,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "http smuggling probe \u00b7 via HTTP:500 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp",
"evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:500\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-L",
"target_port_label": "500 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (213.166.84.0\/24, \u22653 pairs)",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "500"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"coordinated_scan": true,
"coordinated_subnet": "213.166.84.0\/24",
"coordinated_ip_count": 3,
"behavior_alerts": [
"coordinated_scan"
],
"correlation_confidence_boost": 10,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3"
]
}
|
|
|
TCP |
2727 · HTTP
|
http
|
Traversal LFI
lfi path traversal · via HTTP:2727 · (tentative d'exploit) · → /mcp
|
Élevée
|
Moyen · 59
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
POST /mcp UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
34
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950383:rce-14
950406:ssrf-3
Cible HTTP
POST
/mcp
TLS SNI
—
Capteur
paris-1
|
Méthode
POST
Port
2727
Chemin / cible
/mcp
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%
Confiance classification
59%
Risque capteur
Moyen
· 59
Confiance : Confiance 59 % — 5 tag(s) WAF
Signaux
CRS-930100-sub
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Ligne de requête
POST /mcp HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
rce-14
ssrf-3
nosqli-3
Payload (extrait)
POST /mcp HTTP/1.1
Host: 62.3.50.33:2727
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Content-
Requête brute (extrait)
POST /mcp HTTP/1.1 Host: 62.3.50.33:2727 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Length: 151 Accept: application/json, text/event-stream Connection: close Content-Type: application/json Mcp-Protocol-Versio
Meta JSON brut
{
"http_header_count": 8,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "f80081a339c62f31ee86a13283aa71f9b7001137",
"http_target_hash": "b6dd5207698ea0722ea3c46de82524f56e66f110",
"http_referer_hash": null,
"http_method": "POST",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 447,
"payload_entropy": 5.207064899316375,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 2727,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6.5,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 59,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "b730ee316196014e242c955d11802c2b51c00756",
"event_fingerprint": "645011c2d77c33b0f4f13abca82008d30b696d77",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.59,
"classification_confidence": 0.59,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 59
},
"named_classification_skipped": false,
"classification_parent": "path_traversal",
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "35b518cb085ad470bde27b3c1c992ec9",
"path_pattern_hash": "88fe637beab867e285c088d60d6cc3b3"
},
"target_context": {
"dst_port": 2727,
"service": "http",
"service_name": "http",
"risk_score": 59
},
"payload_preview": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:2727\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-",
"method": "POST",
"path": "\/mcp",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"rce-14",
"ssrf-3",
"nosqli-3"
],
"request_line": "POST \/mcp HTTP\/1.1",
"request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:2727\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Versio",
"payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:2727\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-",
"evidence": {
"method": "POST",
"path": "\/mcp",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"rce-14",
"ssrf-3",
"nosqli-3"
],
"request_line": "POST \/mcp HTTP\/1.1",
"request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:2727\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Versio",
"payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:2727\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a4a9cd7689f3a80d7eaffaa97354a4011ba6c165",
"protocol_details": {
"http_method": "POST",
"http_path": "\/mcp",
"request_line": "POST \/mcp HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 2727,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:2727\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-",
"attack_vector": "lfi path traversal \u00b7 via HTTP:2727 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp",
"target_port_label": "2727 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP",
"confidence_pct": 59,
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 59
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 59,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 2727,
"protocol_emulated": null,
"tags_summary": [
"CRS-930100-sub"
],
"tags_summary_labels_fr": [
"CRS-930100-sub"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "POST",
"http_path": "\/mcp",
"request_line": "POST \/mcp HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 2727,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "lfi path traversal \u00b7 via HTTP:2727 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp",
"evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:2727\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-",
"target_port_label": "2727 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "2727"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3"
]
}
|
|
|
TCP |
4777 · HTTP
|
http
|
Traversal LFI
lfi path traversal · via HTTP:4777 · (tentative d'exploit)
|
Élevée
|
Moyen · 55
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
30
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
4777
Chemin / cible
/
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%
Confiance classification
59%
Risque capteur
Moyen
· 55
Confiance : Confiance 59 % — 5 tag(s) WAF
Signaux
CRS-930100-sub
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 192.0.2.1
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Accept: */*
Conne
Requête brute (extrait)
GET / HTTP/1.1 Host: 192.0.2.1 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: */* Connection: close
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "e7ac7ecd794e71914a63e2cbdca798fceb5afd12",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 144,
"payload_entropy": 5.097605644356062,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 4777,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 2.2,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 55,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "78071f261f67ebdd4ea7c8a8f963559a905b926c",
"event_fingerprint": "a80d26b5b7638afece129d2584267100c1783bf5",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.59,
"classification_confidence": 0.59,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 55
},
"named_classification_skipped": false,
"classification_parent": "path_traversal",
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "973598b044a4648e3c3fc5667c0c8ce9",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 4777,
"service": "http",
"service_name": "http",
"risk_score": 55
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConne",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConne",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConne",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "44024056a169628292f9818fec18a5bd670ac7f0",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 4777,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConne",
"attack_vector": "lfi path traversal \u00b7 via HTTP:4777 \u00b7 (tentative d'exploit)",
"target_port_label": "4777 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP",
"confidence_pct": 59,
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 55
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 55,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 4777,
"protocol_emulated": null,
"tags_summary": [
"CRS-930100-sub"
],
"tags_summary_labels_fr": [
"CRS-930100-sub"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 4777,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "lfi path traversal \u00b7 via HTTP:4777 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConne",
"target_port_label": "4777 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "4777"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"behavior_alert_count": 2,
"behavior_priority": 84
}
|
|
|
TCP |
29015 · HTTP
|
http
|
Traversal LFI
lfi path traversal · via HTTP:29015 · (tentative d'exploit) · → /sse
|
Élevée
|
Moyen · 59
|
|
Étape
Tentative d'exploit
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan coordonné
MITRE
TA0001
TA0001
TA0002
Protocole
GET /sse UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/sse
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
29015
Chemin / cible
/sse
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%
Confiance classification
69%
Corrélation +10
Risque capteur
Moyen
· 59
Confiance : Confiance 59 % — 4 tag(s) WAF
Signaux
CRS-930100-sub
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET /sse HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
Payload (extrait)
GET /sse HTTP/1.1
Host: 62.3.50.33:29015
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Accept:
Requête brute (extrait)
GET /sse HTTP/1.1 Host: 62.3.50.33:29015 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: text/event-stream Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "cda38fe48ec9811a4e8ed99b9a1866f6ef301abd",
"http_target_hash": "a86b90c44ea188f3d86201cc14f47bf56d184d49",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 191,
"payload_entropy": 5.162484194512611,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 29015,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 6.2,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 59,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "1010fc7a9002fba69ac505c5e2b66ddbc1ef1c26",
"event_fingerprint": "6c4cc6465a49a92f0eac207116947afff1a201d0",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.69,
"classification_confidence": 0.69,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 59,
"correlation_boost": 10
},
"named_classification_skipped": false,
"classification_parent": "path_traversal",
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "d795e30ddd45f60bb93f5878b9eaea4d",
"path_pattern_hash": "9c55a765acd7167a274de1a30a6df566"
},
"target_context": {
"dst_port": 29015,
"service": "http",
"service_name": "http",
"risk_score": 59
},
"payload_preview": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:29015\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: ",
"method": "GET",
"path": "\/sse",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/sse HTTP\/1.1",
"request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:29015\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:29015\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:",
"evidence": {
"method": "GET",
"path": "\/sse",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/sse HTTP\/1.1",
"request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:29015\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:29015\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "076f61f45da515efd7fe9492eb78f783580e3b5a",
"protocol_details": {
"http_method": "GET",
"http_path": "\/sse",
"request_line": "GET \/sse HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 29015,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:29015\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:",
"attack_vector": "lfi path traversal \u00b7 via HTTP:29015 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse",
"target_port_label": "29015 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via HTTP \u2014 campagne \/24 (213.166.84.0\/24)",
"confidence_pct": 69,
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 59,
"correlation_boost": 10
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 59,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 29015,
"protocol_emulated": null,
"tags_summary": [
"CRS-930100-sub"
],
"tags_summary_labels_fr": [
"CRS-930100-sub"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_coordonn\u00e9"
],
"correlation_flags_labels_fr": [
"Scan coordonn\u00e9"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +10",
"protocol_details": {
"http_method": "GET",
"http_path": "\/sse",
"request_line": "GET \/sse HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 29015,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "lfi path traversal \u00b7 via HTTP:29015 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse",
"evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:29015\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:",
"target_port_label": "29015 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 69 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (213.166.84.0\/24, \u22653 pairs)",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "29015"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"coordinated_scan": true,
"coordinated_subnet": "213.166.84.0\/24",
"coordinated_ip_count": 3,
"behavior_alerts": [
"coordinated_scan"
],
"correlation_confidence_boost": 10,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
]
}
|
|
|
TCP |
6809 · HTTP
|
http
|
Traversal LFI
lfi path traversal · via HTTP:6809 · (tentative d'exploit)
|
Élevée
|
Moyen · 58
|
|
Étape
Tentative d'exploit
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan coordonné
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
30
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
6809
Chemin / cible
/
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%
Confiance classification
69%
Corrélation +10
Risque capteur
Moyen
· 58
Confiance : Confiance 59 % — 5 tag(s) WAF
Signaux
CRS-930100-sub
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:6809
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Accept: */*
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:6809 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: */* Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "9918a90d1c1757cd2d27dcf416ae3ca833882593",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 173,
"payload_entropy": 5.206419253236291,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 6809,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 58,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "273afe473a481ae6822019305fabecbbff1fe6a5",
"event_fingerprint": "09b586e434c153881be5d268b8d704baf7125b9b",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.69,
"classification_confidence": 0.69,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 58,
"correlation_boost": 10
},
"named_classification_skipped": false,
"classification_parent": "path_traversal",
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "09a06460b822f8d6ce1e83fad7038034",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 6809,
"service": "http",
"service_name": "http",
"risk_score": 58
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6809\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6809\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6809\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6809\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6809\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "76be3d447c5076786be67c091ab9979559c227a1",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 6809,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6809\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"attack_vector": "lfi path traversal \u00b7 via HTTP:6809 \u00b7 (tentative d'exploit)",
"target_port_label": "6809 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via HTTP \u2014 campagne \/24 (213.166.84.0\/24)",
"confidence_pct": 69,
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 58,
"correlation_boost": 10
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 58,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 6809,
"protocol_emulated": null,
"tags_summary": [
"CRS-930100-sub"
],
"tags_summary_labels_fr": [
"CRS-930100-sub"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_coordonn\u00e9"
],
"correlation_flags_labels_fr": [
"Scan coordonn\u00e9"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +10",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 6809,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "lfi path traversal \u00b7 via HTTP:6809 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6809\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"target_port_label": "6809 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 69 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (213.166.84.0\/24, \u22653 pairs)",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "6809"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"coordinated_scan": true,
"coordinated_subnet": "213.166.84.0\/24",
"coordinated_ip_count": 4,
"behavior_alerts": [
"coordinated_scan"
],
"correlation_confidence_boost": 10,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"behavior_alert_count": 1,
"behavior_priority": 72
}
|
|
|
TCP |
11656 · HTTP
|
http
|
Traversal LFI
lfi path traversal · via HTTP:11656 · (tentative d'exploit) · → /favicon.ico
|
Élevée
|
Moyen · 54
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
GET /favicon.ico UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/favicon.ico
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
11656
Chemin / cible
/favicon.ico
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Moyen
· 54
Confiance : Confiance 50 % — 4 tag(s) WAF
Signaux
CRS-930100-sub
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET /favicon.ico HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
Payload (extrait)
GET /favicon.ico HTTP/1.1
Host: 62.3.50.33:11656
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Requête brute (extrait)
GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:11656 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: */* Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "ico",
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "d877759ec4bae91b33453d185a9ac97cca3ba044",
"http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 185,
"payload_entropy": 5.166287729841245,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 11656,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 1.4,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 54,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "c194a830fada0626b5e44959b734306b13fa7bef",
"event_fingerprint": "84d3d1e16c3db88c326b9ded1e7868f37a123da1",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence": 0.5,
"classification_confidence": 0.5,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 54
},
"named_classification_skipped": false,
"classification_parent": "path_traversal",
"service_name": "http",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "c21869c10a00b39e11e0c20f6b4a0948",
"path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a"
},
"target_context": {
"dst_port": 11656,
"service": "http",
"service_name": "http",
"risk_score": 54
},
"payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:11656\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\n",
"method": "GET",
"path": "\/favicon.ico",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/favicon.ico HTTP\/1.1",
"request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:11656\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:11656\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"evidence": {
"method": "GET",
"path": "\/favicon.ico",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/favicon.ico HTTP\/1.1",
"request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:11656\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:11656\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ced1eb20617b7fc4f56c0a1af1b0492728f35eb1",
"protocol_details": {
"http_method": "GET",
"http_path": "\/favicon.ico",
"request_line": "GET \/favicon.ico HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 11656,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:11656\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"attack_vector": "lfi path traversal \u00b7 via HTTP:11656 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/favicon.ico",
"target_port_label": "11656 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 50 % \u2014 via HTTP",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 54
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 54,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 11656,
"protocol_emulated": null,
"tags_summary": [
"CRS-930100-sub"
],
"tags_summary_labels_fr": [
"CRS-930100-sub"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"http_method": "GET",
"http_path": "\/favicon.ico",
"request_line": "GET \/favicon.ico HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 11656,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "lfi path traversal \u00b7 via HTTP:11656 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/favicon.ico",
"evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:11656\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"target_port_label": "11656 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "11656"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
]
}
|
|
|
TCP |
8051 · HTTP
|
http
|
Traversal LFI
lfi path traversal · via HTTP:8051 · (tentative d'exploit) · → /favicon.ico
|
Élevée
|
Moyen · 58
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
GET /favicon.ico UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/favicon.ico
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8051
Chemin / cible
/favicon.ico
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Moyen
· 58
Confiance : Confiance 50 % — 4 tag(s) WAF
Signaux
CRS-930100-sub
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET /favicon.ico HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
Payload (extrait)
GET /favicon.ico HTTP/1.1
Host: 62.3.50.33:8051
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
A
Requête brute (extrait)
GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:8051 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: */* Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "ico",
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "39449661d9e9c70ac63f5f4eb025663102af82a3",
"http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 184,
"payload_entropy": 5.173437365317213,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 8051,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 58,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "8a7875ce59f8976819445069f861822d25627527",
"event_fingerprint": "5c82c8bf625df646112ed505774d2b423f54ce3a",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence": 0.5,
"classification_confidence": 0.5,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 58
},
"named_classification_skipped": false,
"classification_parent": "path_traversal",
"service_name": "http",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "8ad8700dff4e8801192b803b6c8254ce",
"path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a"
},
"target_context": {
"dst_port": 8051,
"service": "http",
"service_name": "http",
"risk_score": 58
},
"payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8051\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nA",
"method": "GET",
"path": "\/favicon.ico",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/favicon.ico HTTP\/1.1",
"request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8051\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8051\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nA",
"evidence": {
"method": "GET",
"path": "\/favicon.ico",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/favicon.ico HTTP\/1.1",
"request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8051\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8051\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nA",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c2e40892d323a8885f0817f94a971d56f088d551",
"protocol_details": {
"http_method": "GET",
"http_path": "\/favicon.ico",
"request_line": "GET \/favicon.ico HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 8051,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8051\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nA",
"attack_vector": "lfi path traversal \u00b7 via HTTP:8051 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/favicon.ico",
"target_port_label": "8051 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 58
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 58,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8051,
"protocol_emulated": null,
"tags_summary": [
"CRS-930100-sub"
],
"tags_summary_labels_fr": [
"CRS-930100-sub"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"http_method": "GET",
"http_path": "\/favicon.ico",
"request_line": "GET \/favicon.ico HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 8051,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "lfi path traversal \u00b7 via HTTP:8051 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/favicon.ico",
"evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8051\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nA",
"target_port_label": "8051 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF"
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8051"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
]
}
|
|
|
TCP |
9152
|
http
|
Traversal LFI
|
Élevée
|
Moyen · 56
|
|
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
30
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
9152
Chemin / cible
/
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%
Confiance classification
59%
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:9152
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Accept: */*
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:9152 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: */* Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "36f0498c01641ba2149d8e3ad8a9182e69630ab8",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 173,
"payload_entropy": 5.190495048021473,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 9152,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 2.9,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 56,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "538dc1664d13329de932fabfe2664864ac030041",
"event_fingerprint": "4d7540fa362128d5ebfa7e2826c4f64232f11243",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.59,
"classification_confidence": 0.59,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"classification_parent": "path_traversal",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "c120b15b7b6b3bbb8dd67f0fca42e08a",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 9152,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9152\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9152\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9152\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9152\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9152\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ce5ab3430692232fb60435cf134a3685d8334eca",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
707
|
http
|
Traversal LFI
|
Élevée
|
Moyen · 59
|
|
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
30
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
707
Chemin / cible
/
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%
Confiance classification
59%
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:707
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Accept: */*
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:707 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: */* Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "00ca5ff38d1072ca527072be32a8d419a1163247",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 172,
"payload_entropy": 5.185101076962122,
"port_category": "well_known",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 707,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5.8,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 59,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "0dc55e3c56cb228334bd2c7c221eda73adb301ef",
"event_fingerprint": "8df9e9890094ac7b70edf8a493958207754e1b54",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.59,
"classification_confidence": 0.59,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"classification_parent": "path_traversal",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "cef90f51268526dbcecc1ef6c6dbb7ef",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 707,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:707\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\n",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:707\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:707\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:707\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:707\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "eb3fdd0cec3ec204e1dc4305392e13ed641fe225",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
16127
|
http
|
Traversal LFI
|
Élevée
|
Moyen · 55
|
|
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
27
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/favicon.ico
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
16127
Chemin / cible
/favicon.ico
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%
Confiance classification
59%
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET /favicon.ico HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
Payload (extrait)
GET /favicon.ico HTTP/1.1
Host: 62.3.50.33:16127
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Requête brute (extrait)
GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:16127 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: */* Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "ico",
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "7496385d1c6f74b4df14c529e7f3eb1e69e2ce5c",
"http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 185,
"payload_entropy": 5.185259486621391,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 16127,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.5,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 55,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "492eb91119227fc2f8814b59fb3d0efeca4faa30",
"event_fingerprint": "c4585af566ac80e107a2fc4e15f08da0fd7703e2",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.59,
"classification_confidence": 0.59,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"classification_parent": "path_traversal",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "cac4f9791a9ac723e386035e998e6b04",
"path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a"
},
"target_context": {
"dst_port": 16127,
"service": "http"
},
"payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:16127\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\n",
"method": "GET",
"path": "\/favicon.ico",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/favicon.ico HTTP\/1.1",
"request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:16127\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:16127\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"evidence": {
"method": "GET",
"path": "\/favicon.ico",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/favicon.ico HTTP\/1.1",
"request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:16127\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:16127\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "dd7961dc632faf9cb06ee18ad0d6f1829c74d414",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
]
}
|
|
|
TCP |
21113
|
http
|
Traversal LFI
|
Élevée
|
Moyen · 55
|
|
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
30
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
21113
Chemin / cible
/
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%
Confiance classification
59%
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:21113
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Accept: */*
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:21113 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: */* Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "ae5660cfe46f2ead1cd4c08b4cb04f6ecce154bb",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 174,
"payload_entropy": 5.165730621863446,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 21113,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 2.1,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 55,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "5aba27e3c233c9d59aeea10f8bbdc08658bd9c07",
"event_fingerprint": "86d4c004fc207360ba6e5436c654690f85704e40",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.59,
"classification_confidence": 0.59,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"classification_parent": "path_traversal",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "fde45233016408e5cd0943836096994e",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 21113,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21113\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21113\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21113\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21113\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21113\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ea94d1ee34469a5c0484ab920d2c2095660afd4a",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
23321
|
http
|
Traversal LFI
|
Élevée
|
Moyen · 56
|
|
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
30
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
23321
Chemin / cible
/
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%
Confiance classification
59%
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:23321
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Accept: */*
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:23321 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: */* Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "85683ecbe24eb223bc42062643247656ed6683bf",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 174,
"payload_entropy": 5.172312501333139,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 23321,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3.2,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 56,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "f4fa5031eb73209339b868e664fb3bd12184d29e",
"event_fingerprint": "f0768aad502d0bf407a14394e389c6f31314167d",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.59,
"classification_confidence": 0.59,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"classification_parent": "path_traversal",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "23f888e854a2c089fdb0a6bf154b8061",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 23321,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:23321\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:23321\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:23321\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:23321\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:23321\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "112273a60f89ffb0f5bc61fd623da4c7d73e121d",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
2775
|
http
|
Traversal LFI
|
Élevée
|
Moyen · 57
|
|
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
30
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
2775
Chemin / cible
/
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%
Confiance classification
59%
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:2775
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Accept: */*
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:2775 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: */* Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "e8cc24d100c42ae08b2370cef2c9c0a06ffb4308",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 173,
"payload_entropy": 5.197692230089892,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 2775,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.3,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 57,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "164f29c7adba7c78a3c98cbbedafe922d33e44d6",
"event_fingerprint": "b7004c35f00b5f7ae80183fc7809c95f2a1b51eb",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.59,
"classification_confidence": 0.59,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"classification_parent": "path_traversal",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "7add2d189e479d4c080d095b4ede8889",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 2775,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2775\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2775\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2775\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2775\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2775\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c4657fc63125ac1a232cbe24d2fa22a464a0a07d",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
5683
|
coap
|
coap probe
|
Élevée
|
Faible · 17
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
coap_emulated
coap_payload
net_coap_probe
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
5683
Chemin / cible
—
Pourquoi cette classification : Type « coap_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������������Ұ%��u`�@���C'�������u S��<�&�v���.di��F��C%|:��q%����F�������+�/̨̩�,�0�
� ���������/�5�'�#̪�����g�k�3
Requête brute (extrait)
��������������������Ұ%� u`�@���C'�������u S��<�&�v���.di��F��C%|:��q%����F�������+�/̨̩�,�0� � ���������/�5�'�#̪�����g�k�3�9�<����� ������������������������ ��� ������������� �����#������������"� �����������3�k�i��� �Kg�ц���}�.��[)��}���}�f��pb��K��
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "60440000d1044e6f6e65",
"emulator_response_len": 10,
"bytes_in": 657,
"payload_entropy": 7.037272691265289,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "coap",
"app_proto": "coap",
"asn": 25369,
"country": "GB",
"dst_port": 5683,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15
},
"risk_score": 17,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "73ef2866eb124ecf8db6174203ef560a367c1492",
"event_fingerprint": "4ed13698ee2bf972779fffba34f337d0f99f5898",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0554"
],
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "fb3e1b088e5209686bfd249fe6c64ee1",
"path_pattern_hash": "2bc9f93b3f58e74e96efca118403941c"
},
"target_context": {
"dst_port": 5683,
"service": "coap"
},
"payload_preview": "\u0016\u0003\u0001\u0002\ufffd\u0001\u0000\u0002\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u04b0%\ufffd\fu`\ufffd@\ufffd\u0010\ufffdC'\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdu S\ufffd\ufffd<\ufffd&\ufffdv\ufffd\ufffd\b.di\ufffd\ufffdF\u0011\ufffdC%|:\ufffd\ufffdq%\ufffd\ufffd\ufffd\u0000F\u0013\u0001\u0013\u0003\u0013\u0002\ufffd+\ufffd\/\u0329\u0328\ufffd,\ufffd0\ufffd\n\ufffd\t\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd'\ufffd#\u032a\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003",
"request_sample": "\u0016\u0003\u0001\u0002\ufffd\u0001\u0000\u0002\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u04b0%\ufffd\fu`\ufffd@\ufffd\u0010\ufffdC'\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdu S\ufffd\ufffd<\ufffd&\ufffdv\ufffd\ufffd\b.di\ufffd\ufffdF\u0011\ufffdC%|:\ufffd\ufffdq%\ufffd\ufffd\ufffd\u0000F\u0013\u0001\u0013\u0003\u0013\u0002\ufffd+\ufffd\/\u0329\u0328\ufffd,\ufffd0\ufffd\n\ufffd\t\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd'\ufffd#\u032a\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000<\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0005\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\u0014\u0001\u0000\u0001\ufffd\u0000\u0017\u0000\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\n\u0000\u000e\u0000\f\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0001\u0000\u0001\u0001\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\"\u0000\n\u0000\b\u0004\u0003\u0005\u0003\u0006\u0003\u0002\u0003\u00003\u0000k\u0000i\u0000\u001d\u0000 \ufffdKg\u0000\u0446\ufffd\ufffd\b}\ufffd.\ufffd\ufffd[)\ufffd\ufffd}\ufffd\ufffd\ufffd}\ufffdf\u0013\ufffdpb\u0019\ufffdK\u0000\u0017",
"payload_snippet": "\u0016\u0003\u0001\u0002\ufffd\u0001\u0000\u0002\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u04b0%\ufffd\fu`\ufffd@\ufffd\u0010\ufffdC'\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdu S\ufffd\ufffd<\ufffd&\ufffdv\ufffd\ufffd\b.di\ufffd\ufffdF\u0011\ufffdC%|:\ufffd\ufffdq%\ufffd\ufffd\ufffd\u0000F\u0013\u0001\u0013\u0003\u0013\u0002\ufffd+\ufffd\/\u0329\u0328\ufffd,\ufffd0\ufffd\n\ufffd\t\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd'\ufffd#\u032a\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0002\ufffd\u0001\u0000\u0002\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u04b0%\ufffd\fu`\ufffd@\ufffd\u0010\ufffdC'\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdu S\ufffd\ufffd<\ufffd&\ufffdv\ufffd\ufffd\b.di\ufffd\ufffdF\u0011\ufffdC%|:\ufffd\ufffdq%\ufffd\ufffd\ufffd\u0000F\u0013\u0001\u0013\u0003\u0013\u0002\ufffd+\ufffd\/\u0329\u0328\ufffd,\ufffd0\ufffd\n\ufffd\t\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd'\ufffd#\u032a\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000<\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0005\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\u0014\u0001\u0000\u0001\ufffd\u0000\u0017\u0000\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\n\u0000\u000e\u0000\f\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0001\u0000\u0001\u0001\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\"\u0000\n\u0000\b\u0004\u0003\u0005\u0003\u0006\u0003\u0002\u0003\u00003\u0000k\u0000i\u0000\u001d\u0000 \ufffdKg\u0000\u0446\ufffd\ufffd\b}\ufffd.\ufffd\ufffd[)\ufffd\ufffd}\ufffd\ufffd\ufffd}\ufffdf\u0013\ufffdpb\u0019\ufffdK\u0000\u0017",
"payload_snippet": "\u0016\u0003\u0001\u0002\ufffd\u0001\u0000\u0002\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u04b0%\ufffd\fu`\ufffd@\ufffd\u0010\ufffdC'\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdu S\ufffd\ufffd<\ufffd&\ufffdv\ufffd\ufffd\b.di\ufffd\ufffdF\u0011\ufffdC%|:\ufffd\ufffdq%\ufffd\ufffd\ufffd\u0000F\u0013\u0001\u0013\u0003\u0013\u0002\ufffd+\ufffd\/\u0329\u0328\ufffd,\ufffd0\ufffd\n\ufffd\t\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd'\ufffd#\u032a\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003",
"classification_reason": "Type \u00ab coap_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"classification_reason": "Type \u00ab coap_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "3d7f7d4ad6e4083a84e74324268f6fe787889dbd",
"ban_policy": "advisory_monitor",
"tags_list": [
"coap_emulated",
"coap_payload",
"net_coap_probe",
"tls_clienthello"
]
}
|
|
|
TCP |
14346
|
http
|
Traversal LFI
|
Élevée
|
Moyen · 58
|
|
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
30
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
14346
Chemin / cible
/
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%
Confiance classification
59%
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:14346
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Accept: */*
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:14346 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: */* Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "cc1758b0ea288b9e1a31eae377ab060252267f97",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 174,
"payload_entropy": 5.197395995451532,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 14346,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5.6,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 58,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "cad7cf7c6131c021072da65a9310cbe7e5a5f5c5",
"event_fingerprint": "063102940685e35f168b7cccd7ca1bdeddfabace",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.59,
"classification_confidence": 0.59,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"classification_parent": "path_traversal",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "8bce59ae04c4b98d142ba4f00426050d",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 14346,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:14346\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:14346\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:14346\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:14346\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:14346\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "4c5cef2d3c959faad396f7d6fd2e880f8acb76e3",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"behavior_alert_count": 1,
"behavior_priority": 72
}
|
|
|
TCP |
28832
|
http
|
Traversal LFI
|
Élevée
|
Moyen · 55
|
|
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
30
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
28832
Chemin / cible
/
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%
Confiance classification
59%
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:28832
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Accept: */*
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:28832 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: */* Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "0f6cd0472139e0bdb3cb3661c30f852a8e67b2fc",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 174,
"payload_entropy": 5.2002133804841355,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 28832,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 2.1,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 55,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "1807582f8cbc077dcfe1a6fdd0d3bddd38f05e43",
"event_fingerprint": "b46b1dd7cc2d985a083f7b7d852a4fa8a6112704",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.59,
"classification_confidence": 0.59,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"classification_parent": "path_traversal",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "3e51e8bc28e1d7c7ee394c4fa878b4da",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 28832,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:28832\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:28832\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:28832\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:28832\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:28832\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "47ae8e3b63707a9122a97fec97334190c9e90abe",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
29015
|
http
|
Traversal LFI
|
Élevée
|
Moyen · 59
|
|
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
27
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/favicon.ico
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
29015
Chemin / cible
/favicon.ico
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%
Confiance classification
59%
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET /favicon.ico HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
Payload (extrait)
GET /favicon.ico HTTP/1.1
Host: 62.3.50.33:29015
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Requête brute (extrait)
GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:29015 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: */* Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "ico",
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "cda38fe48ec9811a4e8ed99b9a1866f6ef301abd",
"http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 185,
"payload_entropy": 5.18314943513186,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 29015,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 6.2,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 59,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "1010fc7a9002fba69ac505c5e2b66ddbc1ef1c26",
"event_fingerprint": "f0e11434c8c06e867d4b85e60557468deaf5ba2c",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.59,
"classification_confidence": 0.59,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"classification_parent": "path_traversal",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "940aff11b3e2a4dade1b21d686b261eb",
"path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a"
},
"target_context": {
"dst_port": 29015,
"service": "http"
},
"payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:29015\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\n",
"method": "GET",
"path": "\/favicon.ico",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/favicon.ico HTTP\/1.1",
"request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:29015\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:29015\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"evidence": {
"method": "GET",
"path": "\/favicon.ico",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/favicon.ico HTTP\/1.1",
"request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:29015\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:29015\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "69578ae41fd4da6a35ff4a4804dc0b50cf6ff88f",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
]
}
|
|
|
TCP |
6046
|
http
|
Traversal LFI
|
Élevée
|
Moyen · 55
|
|
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
30
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
6046
Chemin / cible
/
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%
Confiance classification
59%
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:6046
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Accept: */*
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:6046 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: */* Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "b117f50cd819d0abab2d5e2a6d84e80dc35d75a5",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 173,
"payload_entropy": 5.190495048021473,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 6046,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 1.9,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 55,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "b277afdf73f784195443c854fde2ba216458e0c2",
"event_fingerprint": "b4e52fc8a40bebdc46da3c573ba723483421a330",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.59,
"classification_confidence": 0.59,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"classification_parent": "path_traversal",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "a9f2c550f6cc01a1934f6b82ee42e63f",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 6046,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6046\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6046\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6046\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6046\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6046\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "7d1616d9079537701db56a0d4f3972acec422ed6",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
7777
|
http
|
Traversal LFI
|
Élevée
|
Moyen · 58
|
|
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
27
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/favicon.ico
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
7777
Chemin / cible
/favicon.ico
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%
Confiance classification
59%
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET /favicon.ico HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
Payload (extrait)
GET /favicon.ico HTTP/1.1
Host: 62.3.50.33:7777
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
A
Requête brute (extrait)
GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:7777 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: */* Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "ico",
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "434883bb641a2e9cbc2ec385cba5dca817862768",
"http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 184,
"payload_entropy": 5.180204281066325,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 7777,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.7,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 58,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "644dbd9a75c3dbbe70322479a0d62eb801f5e310",
"event_fingerprint": "9a2e388923d2a5fd329b760064fa1d4a8f66eeac",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.59,
"classification_confidence": 0.59,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"classification_parent": "path_traversal",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "453dba723633537e0b5d2138cb8e1d60",
"path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a"
},
"target_context": {
"dst_port": 7777,
"service": "http"
},
"payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:7777\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nA",
"method": "GET",
"path": "\/favicon.ico",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/favicon.ico HTTP\/1.1",
"request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:7777\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:7777\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nA",
"evidence": {
"method": "GET",
"path": "\/favicon.ico",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/favicon.ico HTTP\/1.1",
"request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:7777\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:7777\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nA",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f3595d4f4b0560f2ce1758cd62af4cf51d3f98da",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
]
}
|
|
|
TCP |
1217
|
http
|
Traversal LFI
|
Élevée
|
Moyen · 56
|
|
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
30
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
1217
Chemin / cible
/
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%
Confiance classification
59%
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:1217
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Accept: */*
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:1217 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: */* Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "1c82f14099764f9029be51e7e764cae83093ac2f",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 173,
"payload_entropy": 5.185554279395616,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 1217,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 56,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "ebf478508d6916efa92126f82a89fd3e37057318",
"event_fingerprint": "a7f1216fe5f82d920869d5e23fda6701f227d2a4",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.59,
"classification_confidence": 0.59,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"classification_parent": "path_traversal",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "1fc63bb453056635919a80e365e8e05b",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 1217,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1217\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1217\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1217\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1217\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1217\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "590e33b895a5056142dfa055ba3df26622516b7c",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
7687
|
http
|
Traversal LFI
|
Élevée
|
Moyen · 59
|
|
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
30
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
7687
Chemin / cible
/
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%
Confiance classification
59%
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:7687
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Accept: */*
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:7687 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: */* Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "0a47e5cd9408ba7914b6522a807348048abf89f6",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 173,
"payload_entropy": 5.21361643530471,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 7687,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6.5,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 59,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "e93966859d92a20d68e99caf9b3abb047e675746",
"event_fingerprint": "b1ff6f1efdffbf20200343a9262a7fc9a74ac11a",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.59,
"classification_confidence": 0.59,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"classification_parent": "path_traversal",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "97bbbd22f3f2a8288cf23108d94e0844",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 7687,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7687\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7687\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7687\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7687\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7687\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c5cf3e6be547f10cc6144452335fdf6b87855fe1",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
88
|
http
|
web attack
|
Élevée
|
Moyen · 64
|
|
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
30
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
88
Chemin / cible
/
Confiance classification
95%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:88
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Accept: */*
C
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "3f53fd38a0b70842554ee03ec3c54d18c411dc66",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 171,
"payload_entropy": 5.182559882877483,
"port_category": "well_known",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 88,
"risk_waf": 100,
"risk_classification": 100,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5.9,
"risk_breakdown": {
"waf": 100,
"classification": 100,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 64,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "953051c6bb171f9bb9d98081e4f15494bbdfae86",
"event_fingerprint": "6840b463c7f2afb1d7a870a09905277e24a1cba5",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "f89cc02076cccb91038f9049398064e7",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 88,
"service": "http"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"confidence": 0.95,
"classification_confidence": 0.95,
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:88\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nC",
"event_signature": "f369ffe146598e66af0468bcb9244cf8dfc04207",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
5683
|
http
|
web attack
|
Élevée
|
Moyen · 60
|
|
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
30
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
5683
Chemin / cible
/
Confiance classification
95%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:5683
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Accept: */*
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "8f9985daf63a005ad653145a5333ff4f3e7ccd70",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 173,
"payload_entropy": 5.190495048021473,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"risk_waf": 100,
"risk_classification": 100,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_breakdown": {
"waf": 100,
"classification": 100,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 60,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "c848df99d07e9d73877e3ebc79b250eac2a04094",
"event_fingerprint": "5f5f19a0cc0f8a1f5958fef356be54a43adf612d",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "e8cb15ae0a2de7734ffb59e2244758b0",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 5683,
"service": "http"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"confidence": 0.95,
"classification_confidence": 0.95,
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5683\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r",
"event_signature": "675ad0a05bf277080868da3db220d8ebb85c48ce",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
5683
|
http
|
web attack
|
Élevée
|
Moyen · 60
|
|
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
30
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
5683
Chemin / cible
/
Confiance classification
95%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 192.0.2.1
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Accept: */*
Conne
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "e7ac7ecd794e71914a63e2cbdca798fceb5afd12",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 144,
"payload_entropy": 5.097605644356062,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"risk_waf": 100,
"risk_classification": 100,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_breakdown": {
"waf": 100,
"classification": 100,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 60,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "c848df99d07e9d73877e3ebc79b250eac2a04094",
"event_fingerprint": "5f5f19a0cc0f8a1f5958fef356be54a43adf612d",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "973598b044a4648e3c3fc5667c0c8ce9",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 5683,
"service": "http"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"confidence": 0.95,
"classification_confidence": 0.95,
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConne",
"event_signature": "8e082227ca58304eb9c2f159948ca11ed4f7659c",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
1433
|
tls
|
Sonde TLS
|
Élevée
|
Élevé · 81
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
1962
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
5090
|
—
|
Sonde port
|
Faible
|
Faible · 0
|
|
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
6033
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
30
Recommandation
—
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
6033
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "4e5a819ab20816e1e711beced52d7636d5547955",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 173,
"payload_entropy": 5.166796403685578,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"tag_count": 5,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "5fcb9d3a6d87db34a96c4347913be26328829b31",
"event_fingerprint": "02df7d54a182685e07b705b8541537c53ae5b490",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
5038
|
—
|
Sonde port
|
Faible
|
Faible · 0
|
|
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
27015
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
6027
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
14440
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
21119
|
—
|
Sonde port
|
Faible
|
Faible · 5
|
|
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
623
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
30
Recommandation
—
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
623
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "7358dea76c4040fd81c33d4cf5dc2a0681acdad0",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 172,
"payload_entropy": 5.173473169985378,
"port_category": "well_known",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"tag_count": 5,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "0566b197fbc9468c103d4d5cfcfe227c98fa07c9",
"event_fingerprint": "9d45c698f0a99bafb3b2b012ce3d25030ed50b07",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
5672
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
30
Recommandation
—
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
5672
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "35549556969ec8b1fccf9709f717baae0cc4c5f3",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 173,
"payload_entropy": 5.197692230089892,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"tag_count": 5,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "d72c7464e8ed6d6da654db65b3119485f7af5316",
"event_fingerprint": "e8dac2f11f507ea7818629b1c3afbd6834369cf9",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
14580
|
—
|
Sonde port
|
Faible
|
Faible · 0
|
|
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
2762
|
—
|
Sonde port
|
Faible
|
Faible · 0
|
|
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
6021
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
30
Recommandation
—
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
6021
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "fd4ae2c851e00196bc37d99e0f47b78834bab5c5",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 173,
"payload_entropy": 5.176100683884634,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"tag_count": 5,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "f3907887ad2bd9fc3f95af22f533bf342f875a88",
"event_fingerprint": "3df8e41ef542e55ab951d8ed7fd710645e3dec15",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
33060
|
—
|
Sonde port
|
Faible
|
Faible · 0
|
|
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
135
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
1400
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
8291
|
—
|
Sonde port
|
Faible
|
Faible · 0
|
|
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
6063
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
30
Recommandation
—
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
6063
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "cf9a57a368ae6748eaf3d6d9bfb314175b20471f",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 173,
"payload_entropy": 5.171737172311436,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"tag_count": 5,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "c1575b4fb307436f4f2399c75af977ab05ff2b4f",
"event_fingerprint": "6fb9b1f52a69813316c6bf57b2166d7fb853e913",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
587
|
smtp
|
smtp
|
Faible
|
Faible · 0
|
|
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
2427
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
6045
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
30
Recommandation
—
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
6045
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "4ba67eea4408ba89f5614313efa05f30d3f43689",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 173,
"payload_entropy": 5.190495048021473,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"tag_count": 5,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "476048c618d642a111774ccf70e38b055b47710d",
"event_fingerprint": "73d20d16533ed7d648a3d0c1b4deffc074a69ae7",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
6600
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|