Renseignement sur les menaces

Royaume-Uni

217.146.80.103

FAI Hydra Communications Ltd Première vue 25/04/2026 08:19 UTC Dernière vue 17/06/2026 06:09 UTC Risque Critique

Période analysée : 2026-03-19 → 2026-06-17

Activité suspecte — risque 57/100 (Moyen) — MITRE TA0001 — confiance 59 % — via HTTP

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

100

Critique · Risque max (7j) Critique

Synthèse exécutive

Profil de menace

Score de risque 100/100 Critique

Première observation 25/04/2026 08:19 UTC

Dernière observation 17/06/2026 06:09 UTC

Événements (période) 174

MITRE ATT&CK principal TA0001 40 occurrences

Activité suspecte — risque 57/100 (Moyen) — MITRE TA0001 — confiance 59 % — via HTTP

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%

Confiance 59 % — Score WAF 100 · 5 tag(s) WAF

Comparaison ASN / FAI

ASN 25369 · 217.146.80.0/20 · RIPENCC — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 174 événements sur la période pour cette IP.

81.19.219.231 Sonde HTTP smuggling 17/06/2026 07:48 UTC
195.206.182.220 Traversal LFI 17/06/2026 07:48 UTC
193.32.209.247 Traversal LFI 17/06/2026 07:48 UTC
195.140.214.29 Traversal LFI 17/06/2026 07:48 UTC
188.240.59.38 Sonde HTTP smuggling 17/06/2026 07:48 UTC
69.5.169.187 Sonde port 17/06/2026 07:48 UTC
81.19.219.217 Sonde HTTP smuggling 17/06/2026 07:43 UTC
31.14.254.14 Traversal LFI 17/06/2026 07:43 UTC

Événements (filtres)

174

Première observation

25/04/2026 08:19 UTC

Dernière observation

17/06/2026 06:09 UTC

Dernière activité (filtres)

17/06/2026 06:09 UTC

Événements 7j

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 94 TLS TCP 65 SSH TCP 2 MEMCACHED TCP 1 VMWARE AUTH TCP 1 MSRPC TCP 1 QOTD TCP 1 SOCKS TCP 1

HTTP

TLS

SSH

MEMCACHED

VMWARE AUTH

MSRPC

Géolocalisation

Origine réseau déclarée

Royaume-Uni unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Hydra Communications Ltd 131 Port 28196 lfi_path_traversal

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Tentative d'exploit

Chaîne d'attaque

Exploitation

Vecteur d'attaque

lfi path traversal · via HTTP:28196 · (tentative d'exploit)

Détails protocole

Méthode: GET
Chemin: /
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)

Aperçu payload

GET / HTTP/1.1 Host: 62.3.50.33:28196 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: */*

Port / service

28196 · HTTP

Service émulé

HTTP

Raison confiance

Confiance 59 % — 5 tag(s) WAF

Technique MITRE

TA0001

Persona capteur

mail.sensor-1.internal

Recommandation

Investiguer

Rôle capteur

Renseignement menaces

Signaux de précision

CRS-930100-sub

Confiance

59%

Famille de menace

path_traversal

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

174 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

174 événement(s) — page 1/4

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
17/06/2026 06:09:08 UTC	TCP	28196 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:28196 · (tentative d'exploit)	Élevée	Moyen · 57
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 30 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 28196 Chemin / cible / Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Risque capteur Moyen · 57 Confiance : Confiance 59 % — 5 tag(s) WAF Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:28196 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:28196 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "7db314d89413d045b2385aad21a46509284764b7", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 174, "payload_entropy": 5.216046067278179, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 28196, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 57, "tag_count": 5, "anomaly_count": 0, "campaign_key": "f08c80642a3af7ca8dff8be6f9eb7774f5819ac3", "event_fingerprint": "ca4c7e60d9c13a9e425f6bd8c73084be2019b677", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 57 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "87620ee6f444a896b62b64e6c10b1926", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 28196, "service": "http", "service_name": "http", "risk_score": 57 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:28196\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:28196\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:28196\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:28196\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:28196\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "613a6e2b7b26934fa118a344ea4085a6f6254285", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 28196, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:28196\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "attack_vector": "lfi path traversal \u00b7 via HTTP:28196 \u00b7 (tentative d'exploit)", "target_port_label": "28196 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP", "confidence_pct": 59, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 57 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 57, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 28196, "protocol_emulated": null, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 28196, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:28196 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:28196\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "target_port_label": "28196 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF", "confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "28196" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
17/06/2026 05:32:51 UTC	TCP	32113 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:32113 · (tentative d'exploit) · → /mcp	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole POST /mcp UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 34 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950383:rce-14 950406:ssrf-3 Cible HTTP POST /mcp TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 32113 Chemin / cible /mcp Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 64 Confiance : Confiance 95 % — Motif catalogue confirmé · 5 tag(s) WAF Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL LFI Double-dot bypass Ligne de requête `POST /mcp HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 rce-14 ssrf-3 nosqli-3 Payload (extrait) POST /mcp HTTP/1.1 Host: 62.3.50.33:32113 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content Requête brute (extrait) POST /mcp HTTP/1.1 Host: 62.3.50.33:32113 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Length: 151 Accept: application/json, text/event-stream Connection: close Content-Type: application/json Mcp-Protocol-Versi Meta JSON brut { "http_header_count": 8, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "535f9c1975fab23770aba246ae185115a2a56de6", "http_target_hash": "b6dd5207698ea0722ea3c46de82524f56e66f110", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 448, "payload_entropy": 5.196348963320393, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 32113, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 64, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ea4e72a1c422e465b91fd471ee118e9d5b1f7928", "event_fingerprint": "8176b7016fda26e44d72f6ad88a325726dbc12ab", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842", "pat-0103" ], "matched_pattern_names": [ "CRS 921130 duplicate CL", "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0842", "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 64 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "863c5359e2fe7e33102057c47724dcd3", "path_pattern_hash": "88fe637beab867e285c088d60d6cc3b3" }, "target_context": { "dst_port": 32113, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:32113\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent", "method": "POST", "path": "\/mcp", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3" ], "request_line": "POST \/mcp HTTP\/1.1", "request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:32113\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Versi", "payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:32113\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent", "evidence": { "method": "POST", "path": "\/mcp", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3" ], "request_line": "POST \/mcp HTTP\/1.1", "request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:32113\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Versi", "payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:32113\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1724c5baf16564765c95e2772d1132260504ed1a", "protocol_details": { "http_method": "POST", "http_path": "\/mcp", "request_line": "POST \/mcp HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 32113, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:32113\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent", "attack_vector": "http smuggling probe \u00b7 via HTTP:32113 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp", "target_port_label": "32113 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP", "confidence_pct": 95, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 64 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 32113, "protocol_emulated": null, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "POST", "http_path": "\/mcp", "request_line": "POST \/mcp HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 32113, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:32113 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp", "evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:32113\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent", "target_port_label": "32113 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "32113" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3" ] }
17/06/2026 03:47:52 UTC	TCP	11033 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:11033 · (tentative d'exploit) · → /sse	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /sse UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET /sse TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 11033 Chemin / cible /sse Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Risque capteur Moyen · 59 Confiance : Confiance 59 % — 4 tag(s) WAF Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /sse HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /sse HTTP/1.1 Host: 62.3.50.33:11033 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: Requête brute (extrait) GET /sse HTTP/1.1 Host: 62.3.50.33:11033 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: text/event-stream Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "de862abfa428f2049d41e804cc531e9e651b6a28", "http_target_hash": "a86b90c44ea188f3d86201cc14f47bf56d184d49", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 191, "payload_entropy": 5.132591493232263, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 11033, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 59, "tag_count": 4, "anomaly_count": 0, "campaign_key": "ed105dd71e1b8f4ab36630742118aa6f8b1a0b46", "event_fingerprint": "b70339cd70fa6296483f74fae6b9788cf7f5b3ae", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 59 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "7ab877a21ac5c44e9dc37168631a4374", "path_pattern_hash": "9c55a765acd7167a274de1a30a6df566" }, "target_context": { "dst_port": 11033, "service": "http", "service_name": "http", "risk_score": 59 }, "payload_preview": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:11033\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: ", "method": "GET", "path": "\/sse", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/sse HTTP\/1.1", "request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:11033\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:11033\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:", "evidence": { "method": "GET", "path": "\/sse", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/sse HTTP\/1.1", "request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:11033\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:11033\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "10fcb358cbbca59e95a99e0bed3e50e0cb54ddf0", "protocol_details": { "http_method": "GET", "http_path": "\/sse", "request_line": "GET \/sse HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 11033, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:11033\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:", "attack_vector": "lfi path traversal \u00b7 via HTTP:11033 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse", "target_port_label": "11033 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP", "confidence_pct": 59, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 11033, "protocol_emulated": null, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sse", "request_line": "GET \/sse HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 11033, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:11033 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse", "evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:11033\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:", "target_port_label": "11033 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "11033" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ] }
17/06/2026 02:38:51 UTC	TCP	14570 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:14570 · (tentative d'exploit)	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 30 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 14570 Chemin / cible / Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Risque capteur Moyen · 55 Confiance : Confiance 59 % — 5 tag(s) WAF Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:14570 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:14570 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "0d461aad43e17530ccba0513d299dcef0cdcedf0", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 174, "payload_entropy": 5.204551814404615, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 14570, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 55, "tag_count": 5, "anomaly_count": 0, "campaign_key": "d1137a04e4a44e2c584bc1ca9bfc53ed0384e427", "event_fingerprint": "8676747ecebb9f99c01d0025d1dd96b08b1d00c8", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 55 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "b80bc2bcce2f29be682c5c27667544a8", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 14570, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:14570\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:14570\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:14570\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:14570\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:14570\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3bec1942cfec2df8562fe0a106b328e7493d9fd1", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 14570, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:14570\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "attack_vector": "lfi path traversal \u00b7 via HTTP:14570 \u00b7 (tentative d'exploit)", "target_port_label": "14570 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP", "confidence_pct": 59, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 14570, "protocol_emulated": null, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 14570, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:14570 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:14570\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "target_port_label": "14570 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF", "confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "14570" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
17/06/2026 00:45:07 UTC	TCP	11224 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:11224 · (tentative d'exploit)	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 30 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 11224 Chemin / cible / Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Risque capteur Moyen · 55 Confiance : Confiance 59 % — 5 tag(s) WAF Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:11224 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:11224 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "313a5455e5fe992d1a94c7d75555739872f564e8", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 174, "payload_entropy": 5.190962573159786, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 11224, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 55, "tag_count": 5, "anomaly_count": 0, "campaign_key": "80ad0ef5b76b05922c206c709996fdd7b0c6a46a", "event_fingerprint": "f3dd813d47fdef7c9e122b37f3b4efcbba2cac11", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 55 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "74f52acd1a47201261a147fa638004bc", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 11224, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11224\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11224\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11224\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11224\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11224\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e9837e7771a8c2df6d14fca753c4d671200e23dc", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 11224, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11224\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "attack_vector": "lfi path traversal \u00b7 via HTTP:11224 \u00b7 (tentative d'exploit)", "target_port_label": "11224 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP", "confidence_pct": 59, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 11224, "protocol_emulated": null, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 11224, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:11224 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11224\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "target_port_label": "11224 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF", "confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "11224" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
16/06/2026 23:37:09 UTC	TCP	20772 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:20772 · (tentative d'exploit)	Élevée	Moyen · 60
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole POST / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 37 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950383:rce-14 950406:ssrf-3 Cible HTTP POST / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 20772 Chemin / cible / Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 60 Confiance : Confiance 95 % — Motif catalogue confirmé · 6 tag(s) WAF Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL LFI Double-dot bypass Ligne de requête `POST / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 rce-14 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) POST / HTTP/1.1 Host: 62.3.50.33:20772 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Le Requête brute (extrait) POST / HTTP/1.1 Host: 62.3.50.33:20772 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Length: 151 Accept: application/json, text/event-stream Connection: close Content-Type: application/json Mcp-Protocol-Version: Meta JSON brut { "http_header_count": 8, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "e543fd0c4a10aaa8992f622c23467a597e7754fe", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 445, "payload_entropy": 5.207652991758623, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 20772, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.4, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 60, "tag_count": 6, "anomaly_count": 0, "campaign_key": "60219a126bbeb92692d37f4625b3d148a758b6c4", "event_fingerprint": "7fa57c78d6f3bcd8775454b01614a69d538f95c4", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842", "pat-0103" ], "matched_pattern_names": [ "CRS 921130 duplicate CL", "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0842", "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 60 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "39e203b84a8b992249ab5af5059c4878", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 20772, "service": "http", "service_name": "http", "risk_score": 60 }, "payload_preview": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:20772\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:20772\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Version:", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:20772\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "evidence": { "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:20772\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Version:", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:20772\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "875df3ba114a9964eb9e49107c1254ac0d790707", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 20772, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:20772\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "attack_vector": "http smuggling probe \u00b7 via HTTP:20772 \u00b7 (tentative d'exploit)", "target_port_label": "20772 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP", "confidence_pct": 95, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 60 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 60, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20772, "protocol_emulated": null, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 20772, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:20772 \u00b7 (tentative d'exploit)", "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:20772\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "target_port_label": "20772 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 100 \u00b7 6 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20772" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
16/06/2026 23:13:50 UTC	TCP	28141 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:28141 · (tentative d'exploit)	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole POST / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 37 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950383:rce-14 950406:ssrf-3 Cible HTTP POST / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 28141 Chemin / cible / Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 63 Confiance : Confiance 95 % — Motif catalogue confirmé · 6 tag(s) WAF Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL LFI Double-dot bypass Ligne de requête `POST / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 rce-14 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) POST / HTTP/1.1 Host: 62.3.50.33:28141 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Le Requête brute (extrait) POST / HTTP/1.1 Host: 62.3.50.33:28141 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Length: 151 Accept: application/json, text/event-stream Connection: close Content-Type: application/json Mcp-Protocol-Version: Meta JSON brut { "http_header_count": 8, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "93de2f5d303ab2171eac47fb3627123d53713dc9", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 445, "payload_entropy": 5.2141466701319095, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 28141, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 63, "tag_count": 6, "anomaly_count": 0, "campaign_key": "f953629b4a92d1f4bc82eeaf27ebbcb0efca10a0", "event_fingerprint": "6ab42d50ffb72d8d89fe50dcb2997b36febcf37e", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842", "pat-0103" ], "matched_pattern_names": [ "CRS 921130 duplicate CL", "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0842", "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 63 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "7ca35c7199326da735fac9889c8a3703", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 28141, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:28141\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:28141\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Version:", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:28141\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "evidence": { "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:28141\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Version:", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:28141\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9cb7b027551a83a89cd8fd90ab7ccd1da52e7018", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 28141, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:28141\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "attack_vector": "http smuggling probe \u00b7 via HTTP:28141 \u00b7 (tentative d'exploit)", "target_port_label": "28141 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP", "confidence_pct": 95, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 63 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 28141, "protocol_emulated": null, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 28141, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:28141 \u00b7 (tentative d'exploit)", "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:28141\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "target_port_label": "28141 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 100 \u00b7 6 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "28141" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
16/06/2026 22:21:06 UTC	TCP	25015 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:25015 · (tentative d'exploit) · → /mcp	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole POST /mcp UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 34 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950383:rce-14 950406:ssrf-3 Cible HTTP POST /mcp TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 25015 Chemin / cible /mcp Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 64 Confiance : Confiance 95 % — Motif catalogue confirmé · 5 tag(s) WAF Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL LFI Double-dot bypass Ligne de requête `POST /mcp HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 rce-14 ssrf-3 nosqli-3 Payload (extrait) POST /mcp HTTP/1.1 Host: 62.3.50.33:25015 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content Requête brute (extrait) POST /mcp HTTP/1.1 Host: 62.3.50.33:25015 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Length: 151 Accept: application/json, text/event-stream Connection: close Content-Type: application/json Mcp-Protocol-Versi Meta JSON brut { "http_header_count": 8, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "5174c11f0cd7027cb10691fb6d4dba3731fcc571", "http_target_hash": "b6dd5207698ea0722ea3c46de82524f56e66f110", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 448, "payload_entropy": 5.195586819592053, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 25015, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.4, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 64, "tag_count": 5, "anomaly_count": 0, "campaign_key": "29f30ce21173d38a17fad558cdf22f650739bd9f", "event_fingerprint": "fa9e092b3656ee37e9649c158272bca1ee4d5766", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842", "pat-0103" ], "matched_pattern_names": [ "CRS 921130 duplicate CL", "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0842", "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 64 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "fb5e775b7d2cd445a8849ed42e2546c3", "path_pattern_hash": "88fe637beab867e285c088d60d6cc3b3" }, "target_context": { "dst_port": 25015, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:25015\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent", "method": "POST", "path": "\/mcp", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3" ], "request_line": "POST \/mcp HTTP\/1.1", "request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:25015\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Versi", "payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:25015\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent", "evidence": { "method": "POST", "path": "\/mcp", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3" ], "request_line": "POST \/mcp HTTP\/1.1", "request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:25015\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Versi", "payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:25015\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9e6fb517c0045f0676510e99241a3adb9670b88e", "protocol_details": { "http_method": "POST", "http_path": "\/mcp", "request_line": "POST \/mcp HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 25015, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:25015\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent", "attack_vector": "http smuggling probe \u00b7 via HTTP:25015 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp", "target_port_label": "25015 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP", "confidence_pct": 95, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 64 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 25015, "protocol_emulated": null, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "POST", "http_path": "\/mcp", "request_line": "POST \/mcp HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 25015, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:25015 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp", "evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:25015\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent", "target_port_label": "25015 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "25015" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3" ] }
16/06/2026 21:43:26 UTC	TCP	18472 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:18472 · (tentative d'exploit)	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole POST / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 37 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950383:rce-14 950406:ssrf-3 Cible HTTP POST / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 18472 Chemin / cible / Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 64 Confiance : Confiance 95 % — Motif catalogue confirmé · 6 tag(s) WAF Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL LFI Double-dot bypass Ligne de requête `POST / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 rce-14 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) POST / HTTP/1.1 Host: 62.3.50.33:18472 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Le Requête brute (extrait) POST / HTTP/1.1 Host: 62.3.50.33:18472 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Length: 151 Accept: application/json, text/event-stream Connection: close Content-Type: application/json Mcp-Protocol-Version: Meta JSON brut { "http_header_count": 8, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "cdefaa95c0689d3cd2ba63893e2a57dfe5917873", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 445, "payload_entropy": 5.223918615178195, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 18472, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.4, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 64, "tag_count": 6, "anomaly_count": 0, "campaign_key": "1c32846182df4c56e696ae4a34582bc0bc3954ed", "event_fingerprint": "fc8afaced96ef29a7f1d94fad83f2c6a947cce88", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842", "pat-0103" ], "matched_pattern_names": [ "CRS 921130 duplicate CL", "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0842", "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 64 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "90bee264e409ef260dab6890a00f9b32", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 18472, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:18472\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:18472\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Version:", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:18472\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "evidence": { "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:18472\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Version:", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:18472\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c6ce58138f23afec9e088fde4839f21618eafae5", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 18472, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:18472\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "attack_vector": "http smuggling probe \u00b7 via HTTP:18472 \u00b7 (tentative d'exploit)", "target_port_label": "18472 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP", "confidence_pct": 95, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 64 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 18472, "protocol_emulated": null, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 18472, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:18472 \u00b7 (tentative d'exploit)", "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:18472\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "target_port_label": "18472 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 100 \u00b7 6 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "18472" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
16/06/2026 16:03:36 UTC	TCP	2992 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:2992 · (tentative d'exploit)	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole POST / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 37 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950383:rce-14 950406:ssrf-3 Cible HTTP POST / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 2992 Chemin / cible / Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 62 Confiance : Confiance 95 % — Motif catalogue confirmé · 6 tag(s) WAF Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL LFI Double-dot bypass Ligne de requête `POST / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 rce-14 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) POST / HTTP/1.1 Host: 62.3.50.33:2992 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Len Requête brute (extrait) POST / HTTP/1.1 Host: 62.3.50.33:2992 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Length: 151 Accept: application/json, text/event-stream Connection: close Content-Type: application/json Mcp-Protocol-Version: Meta JSON brut { "http_header_count": 8, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "217ee8f280418a82ec204b7831d62847ceb3189b", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 444, "payload_entropy": 5.206884691268029, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 2992, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 62, "tag_count": 6, "anomaly_count": 0, "campaign_key": "7fc04385cdd18c3f51b2f143d797162c10145972", "event_fingerprint": "0b9db5eddc9b4c046e10fc246afc0da9b5640fc8", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842", "pat-0103" ], "matched_pattern_names": [ "CRS 921130 duplicate CL", "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0842", "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 62 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "533f4222539bb2edfdb7500b51e67a6d", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 2992, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:2992\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Len", "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:2992\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Version: ", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:2992\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Len", "evidence": { "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:2992\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Version: ", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:2992\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Len", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "25cc3581fbd59bb27f13ea580a65e7d0ef34820c", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 2992, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:2992\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Len", "attack_vector": "http smuggling probe \u00b7 via HTTP:2992 \u00b7 (tentative d'exploit)", "target_port_label": "2992 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP", "confidence_pct": 95, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 62 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2992, "protocol_emulated": null, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 2992, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:2992 \u00b7 (tentative d'exploit)", "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:2992\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Len", "target_port_label": "2992 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 100 \u00b7 6 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2992" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
16/06/2026 15:02:13 UTC	TCP	28412 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:28412 · (tentative d'exploit)	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole POST / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 37 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950383:rce-14 950406:ssrf-3 Cible HTTP POST / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 28412 Chemin / cible / Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 62 Confiance : Confiance 95 % — Motif catalogue confirmé · 6 tag(s) WAF Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL LFI Double-dot bypass Ligne de requête `POST / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 rce-14 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) POST / HTTP/1.1 Host: 62.3.50.33:28412 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Le Requête brute (extrait) POST / HTTP/1.1 Host: 62.3.50.33:28412 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Length: 151 Accept: application/json, text/event-stream Connection: close Content-Type: application/json Mcp-Protocol-Version: Meta JSON brut { "http_header_count": 8, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "b4f7eb8f009d2f3bad6dc59845e5c5b7bfb5901a", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 445, "payload_entropy": 5.213379388355963, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 28412, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 62, "tag_count": 6, "anomaly_count": 0, "campaign_key": "f80d1f6b58401d36e9562df7fac0b98a60d0169d", "event_fingerprint": "43e51f2e2b3c9b8e38e714a9bbf0d0461f75c177", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842", "pat-0103" ], "matched_pattern_names": [ "CRS 921130 duplicate CL", "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0842", "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 62 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "baeaf5b52b6e40e61da29bb7b5e24468", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 28412, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:28412\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:28412\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Version:", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:28412\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "evidence": { "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:28412\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Version:", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:28412\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "09ac82203ead261c4375829326dda890d589f9f7", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 28412, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:28412\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "attack_vector": "http smuggling probe \u00b7 via HTTP:28412 \u00b7 (tentative d'exploit)", "target_port_label": "28412 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP", "confidence_pct": 95, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 62 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 28412, "protocol_emulated": null, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 28412, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:28412 \u00b7 (tentative d'exploit)", "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:28412\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "target_port_label": "28412 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 100 \u00b7 6 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "28412" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
16/06/2026 12:09:40 UTC	TCP	18291 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:18291 · (tentative d'exploit) · → /favicon.ico	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /favicon.ico UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 18291 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 54 Confiance : Confiance 50 % — 4 tag(s) WAF Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:18291 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:18291 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "f84a5fef720dbbdafcce0f29ca107ab812260661", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 185, "payload_entropy": 5.196070297432201, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 18291, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.6, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 54, "tag_count": 4, "anomaly_count": 0, "campaign_key": "17b6f20353abf7dbab5b74b96103b9ee78bf8181", "event_fingerprint": "6fe6013b22ba8a8579e34b0617bc4e2fb2349f7c", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence": 0.5, "classification_confidence": 0.5, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 54 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "c42db924b856245ec8a1411ce4095297", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 18291, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:18291\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:18291\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:18291\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:18291\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:18291\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "653da7cda5db6f3d4780c3422c4d675e123490f9", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 18291, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:18291\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "attack_vector": "lfi path traversal \u00b7 via HTTP:18291 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/favicon.ico", "target_port_label": "18291 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 50 % \u2014 via HTTP", "confidence_pct": 50, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 54 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 18291, "protocol_emulated": null, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 18291, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:18291 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:18291\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "target_port_label": "18291 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "18291" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ] }
16/06/2026 11:24:45 UTC	TCP	439 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:439 · (tentative d'exploit)	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 30 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 439 Chemin / cible / Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Risque capteur Moyen · 55 Confiance : Confiance 59 % — 5 tag(s) WAF Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:439 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:439 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "40445650f964514b0d49315abf50fcf7bd91a306", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 172, "payload_entropy": 5.196728983938867, "port_category": "well_known", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 439, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 55, "tag_count": 5, "anomaly_count": 0, "campaign_key": "63dec6555f2a5f63f638b578b4efa20bdc31844e", "event_fingerprint": "8d7a15287572f01f346b8633e89249fe2730ce8a", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 55 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "56ee77ac0546018902d78d10933fa3e8", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 439, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:439\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\n", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:439\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:439\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:439\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:439\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8d320b0f0615f0002e5c366a9ecf6ac215f925d3", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 439, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:439\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "attack_vector": "lfi path traversal \u00b7 via HTTP:439 \u00b7 (tentative d'exploit)", "target_port_label": "439 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP", "confidence_pct": 59, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 439, "protocol_emulated": null, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 439, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:439 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:439\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "target_port_label": "439 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF", "confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "439" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
16/06/2026 10:44:46 UTC	TCP	19585 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:19585 · (tentative d'exploit)	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole POST / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 37 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950383:rce-14 950406:ssrf-3 Cible HTTP POST / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 19585 Chemin / cible / Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 63 Confiance : Confiance 95 % — Motif catalogue confirmé · 6 tag(s) WAF Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL LFI Double-dot bypass Ligne de requête `POST / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 rce-14 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) POST / HTTP/1.1 Host: 62.3.50.33:19585 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Le Requête brute (extrait) POST / HTTP/1.1 Host: 62.3.50.33:19585 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Length: 151 Accept: application/json, text/event-stream Connection: close Content-Type: application/json Mcp-Protocol-Version: Meta JSON brut { "http_header_count": 8, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "b082ae62dfa8187494bf0dc3b3b1d5938a9f12f5", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 445, "payload_entropy": 5.216025314128788, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 19585, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 63, "tag_count": 6, "anomaly_count": 0, "campaign_key": "66d7801533817cac6e7fd66e3a75a870f8c7a846", "event_fingerprint": "20fc761985d1fc09f98486eb054c33335a204f57", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842", "pat-0103" ], "matched_pattern_names": [ "CRS 921130 duplicate CL", "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0842", "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 63 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "7fa113d496f13a8d65ed4440d792112b", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 19585, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:19585\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:19585\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Version:", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:19585\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "evidence": { "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:19585\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Version:", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:19585\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0a437a24ebfe111e3cfa7729bfff3206946332c8", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 19585, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:19585\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "attack_vector": "http smuggling probe \u00b7 via HTTP:19585 \u00b7 (tentative d'exploit)", "target_port_label": "19585 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP", "confidence_pct": 95, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 63 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 19585, "protocol_emulated": null, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 19585, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:19585 \u00b7 (tentative d'exploit)", "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:19585\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "target_port_label": "19585 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 100 \u00b7 6 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "19585" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
15/06/2026 18:13:52 UTC	TCP	973 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:973 · (tentative d'exploit) · → /mcp	Élevée	Moyen · 61
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole POST /mcp UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 34 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950383:rce-14 950406:ssrf-3 Cible HTTP POST /mcp TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 973 Chemin / cible /mcp Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 61 Confiance : Confiance 95 % — Motif catalogue confirmé · 5 tag(s) WAF Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL LFI Double-dot bypass Ligne de requête `POST /mcp HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 rce-14 ssrf-3 nosqli-3 Payload (extrait) POST /mcp HTTP/1.1 Host: 62.3.50.33:973 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-L Requête brute (extrait) POST /mcp HTTP/1.1 Host: 62.3.50.33:973 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Length: 151 Accept: application/json, text/event-stream Connection: close Content-Type: application/json Mcp-Protocol-Version Meta JSON brut { "http_header_count": 8, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "dbd8ff3b1ea0a02240ee2bffdf031777ca5fc9f5", "http_target_hash": "b6dd5207698ea0722ea3c46de82524f56e66f110", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 446, "payload_entropy": 5.212179249571562, "port_category": "well_known", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 973, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 61, "tag_count": 5, "anomaly_count": 0, "campaign_key": "09874707f08ec816c28b8a0dc60aab6d112be502", "event_fingerprint": "f8d0d82a88eadaab1d1e8aa1eed67832914c6832", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842", "pat-0103" ], "matched_pattern_names": [ "CRS 921130 duplicate CL", "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0842", "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 61 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "664fa64d35f21d6fc4ba005ec5f501d5", "path_pattern_hash": "88fe637beab867e285c088d60d6cc3b3" }, "target_context": { "dst_port": 973, "service": "http", "service_name": "http", "risk_score": 61 }, "payload_preview": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:973\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-L", "method": "POST", "path": "\/mcp", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3" ], "request_line": "POST \/mcp HTTP\/1.1", "request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:973\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Version", "payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:973\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-L", "evidence": { "method": "POST", "path": "\/mcp", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3" ], "request_line": "POST \/mcp HTTP\/1.1", "request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:973\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Version", "payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:973\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-L", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "918f65424cc01b9fc185ca75152272b37d8e6831", "protocol_details": { "http_method": "POST", "http_path": "\/mcp", "request_line": "POST \/mcp HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 973, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:973\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-L", "attack_vector": "http smuggling probe \u00b7 via HTTP:973 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp", "target_port_label": "973 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP", "confidence_pct": 95, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 61 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 61, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 973, "protocol_emulated": null, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "POST", "http_path": "\/mcp", "request_line": "POST \/mcp HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 973, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:973 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp", "evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:973\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-L", "target_port_label": "973 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "973" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3" ] }
15/06/2026 17:33:36 UTC	TCP	26608 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:26608 · (tentative d'exploit)	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 30 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 26608 Chemin / cible / Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Risque capteur Moyen · 56 Confiance : Confiance 59 % — 5 tag(s) WAF Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:26608 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:26608 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "8a339a76a8314fb04989d4a7517adb0b9f43b1f4", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 174, "payload_entropy": 5.2002133804841355, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 26608, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 56, "tag_count": 5, "anomaly_count": 0, "campaign_key": "29fe85cb25e50d41980b9bb18fa1435de9ee5649", "event_fingerprint": "292b4010901753ce4da283fb997f60c00504213b", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 56 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "e18b8073b619115e4b512e3f6e0f5acd", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 26608, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:26608\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:26608\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:26608\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:26608\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:26608\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6f0b902104f087e3e7cec4b94a30b0c17efc6607", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 26608, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:26608\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "attack_vector": "lfi path traversal \u00b7 via HTTP:26608 \u00b7 (tentative d'exploit)", "target_port_label": "26608 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP", "confidence_pct": 59, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 56 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 26608, "protocol_emulated": null, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 26608, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:26608 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:26608\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "target_port_label": "26608 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF", "confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "26608" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
15/06/2026 16:51:24 UTC	TCP	24694 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:24694 · (tentative d'exploit)	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole POST / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 37 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950383:rce-14 950406:ssrf-3 Cible HTTP POST / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 24694 Chemin / cible / Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 62 Confiance : Confiance 95 % — Motif catalogue confirmé · 6 tag(s) WAF Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL LFI Double-dot bypass Ligne de requête `POST / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 rce-14 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) POST / HTTP/1.1 Host: 62.3.50.33:24694 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Le Requête brute (extrait) POST / HTTP/1.1 Host: 62.3.50.33:24694 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Length: 151 Accept: application/json, text/event-stream Connection: close Content-Type: application/json Mcp-Protocol-Version: Meta JSON brut { "http_header_count": 8, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "e9088f3b870ebe556b5bd7f1e36b4c594300a0f8", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 445, "payload_entropy": 5.221439057767498, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 24694, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 62, "tag_count": 6, "anomaly_count": 0, "campaign_key": "2370e9dc018dc5aa32ad08bad0cd278d26d729f3", "event_fingerprint": "4955b0048445883c0cfb3b7d3e48134e90c0f1d1", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842", "pat-0103" ], "matched_pattern_names": [ "CRS 921130 duplicate CL", "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0842", "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 62 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "79b16429cb77c85e9e97e503fc025ddb", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 24694, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:24694\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:24694\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Version:", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:24694\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "evidence": { "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:24694\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Version:", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:24694\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d5cd8df5d4c99f275c7941cb92a39cadf083e1f7", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 24694, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:24694\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "attack_vector": "http smuggling probe \u00b7 via HTTP:24694 \u00b7 (tentative d'exploit)", "target_port_label": "24694 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP", "confidence_pct": 95, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 62 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 24694, "protocol_emulated": null, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 24694, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:24694 \u00b7 (tentative d'exploit)", "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:24694\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "target_port_label": "24694 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 100 \u00b7 6 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "24694" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
15/06/2026 09:03:07 UTC	TCP	21162 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:21162 · (tentative d'exploit) · → /favicon.ico	Élevée	Moyen · 57
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /favicon.ico UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 21162 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 57 Confiance : Confiance 50 % — 4 tag(s) WAF Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:21162 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:21162 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "939aac65b165ee7c74d4859c2beaacd24e88fd28", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 185, "payload_entropy": 5.170368202825912, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 21162, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 57, "tag_count": 4, "anomaly_count": 0, "campaign_key": "29fa503c77b840aaf0a31d2a4570af1123a0d3ac", "event_fingerprint": "1b7c0f90600735437ef35aa68e56c6db1f54d146", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence": 0.5, "classification_confidence": 0.5, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 57 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "e03f01aaf0a3584b084f7eb8ebf38262", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 21162, "service": "http", "service_name": "http", "risk_score": 57 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:21162\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:21162\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:21162\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:21162\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:21162\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "712ab5ca52dd60ffb746baa410bc732184834a47", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 21162, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:21162\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "attack_vector": "lfi path traversal \u00b7 via HTTP:21162 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/favicon.ico", "target_port_label": "21162 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 50 % \u2014 via HTTP", "confidence_pct": 50, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 57 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 57, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 21162, "protocol_emulated": null, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 21162, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:21162 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:21162\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "target_port_label": "21162 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "21162" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ] }
15/06/2026 07:33:54 UTC	TCP	18090 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:18090 · (tentative d'exploit) · → /favicon.ico	Élevée	Moyen · 57
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /favicon.ico UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 18090 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 57 Confiance : Confiance 50 % — 4 tag(s) WAF Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:18090 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:18090 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "b125899ca65e06a50ad10ec03d66c2be49e3ff1c", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 185, "payload_entropy": 5.189339959606058, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 18090, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.1, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 57, "tag_count": 4, "anomaly_count": 0, "campaign_key": "de57d3406d8a0b3b8a69b6d815cb6b3923a52281", "event_fingerprint": "2cad8f06a7588a15344a188f12b902f824757068", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence": 0.5, "classification_confidence": 0.5, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 57 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "4c92f900b0c0fb966360eff2ed01e3e7", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 18090, "service": "http", "service_name": "http", "risk_score": 57 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:18090\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:18090\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:18090\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:18090\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:18090\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "cbc419da81bb26d3a982fd5e412df6bed0082693", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 18090, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:18090\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "attack_vector": "lfi path traversal \u00b7 via HTTP:18090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/favicon.ico", "target_port_label": "18090 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 50 % \u2014 via HTTP", "confidence_pct": 50, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 57 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 57, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 18090, "protocol_emulated": null, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 18090, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:18090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:18090\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "target_port_label": "18090 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "18090" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ] }
15/06/2026 05:53:31 UTC	TCP	28765 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:28765 · (tentative d'exploit)	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole POST / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 37 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950383:rce-14 950406:ssrf-3 Cible HTTP POST / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 28765 Chemin / cible / Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 64 Confiance : Confiance 95 % — Motif catalogue confirmé · 6 tag(s) WAF Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL LFI Double-dot bypass Ligne de requête `POST / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 rce-14 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) POST / HTTP/1.1 Host: 62.3.50.33:28765 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Le Requête brute (extrait) POST / HTTP/1.1 Host: 62.3.50.33:28765 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Length: 151 Accept: application/json, text/event-stream Connection: close Content-Type: application/json Mcp-Protocol-Version: Meta JSON brut { "http_header_count": 8, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "a585d22920176baee43da4835d140b8888877461", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 445, "payload_entropy": 5.2171690925317895, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 28765, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.6, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 64, "tag_count": 6, "anomaly_count": 0, "campaign_key": "7f961d64e88bd58ec13e7c5f7444a985a5f469ec", "event_fingerprint": "baadb9451f4fce4b31d7d43f528f9f7f88b98e3f", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842", "pat-0103" ], "matched_pattern_names": [ "CRS 921130 duplicate CL", "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0842", "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 64 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "5398a857bfd29cbbe7100672a026ff34", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 28765, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:28765\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:28765\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Version:", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:28765\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "evidence": { "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:28765\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Version:", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:28765\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f74a7505dba83e55aed45ea0707ab7c20dead770", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 28765, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:28765\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "attack_vector": "http smuggling probe \u00b7 via HTTP:28765 \u00b7 (tentative d'exploit)", "target_port_label": "28765 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP", "confidence_pct": 95, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 64 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 28765, "protocol_emulated": null, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 28765, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:28765 \u00b7 (tentative d'exploit)", "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:28765\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "target_port_label": "28765 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 100 \u00b7 6 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "28765" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
15/06/2026 05:12:16 UTC	TCP	941 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:941 · (tentative d'exploit) · → /sse	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /sse UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET /sse TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 941 Chemin / cible /sse Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Risque capteur Moyen · 56 Confiance : Confiance 59 % — 4 tag(s) WAF Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /sse HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /sse HTTP/1.1 Host: 62.3.50.33:941 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: te Requête brute (extrait) GET /sse HTTP/1.1 Host: 62.3.50.33:941 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: text/event-stream Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "ddcf64d3bc92b4a2def988bfa12e271e8a65e77c", "http_target_hash": "a86b90c44ea188f3d86201cc14f47bf56d184d49", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 189, "payload_entropy": 5.164070863359065, "port_category": "well_known", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 941, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.2, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 56, "tag_count": 4, "anomaly_count": 0, "campaign_key": "dfab167786524e21b12528c27b7328ed7f11b173", "event_fingerprint": "209a9945a66a104ac06f3e668340cccffac3dad6", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 56 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "f3f112feb918d625b91b4b5875de800d", "path_pattern_hash": "9c55a765acd7167a274de1a30a6df566" }, "target_context": { "dst_port": 941, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:941\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: te", "method": "GET", "path": "\/sse", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/sse HTTP\/1.1", "request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:941\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:941\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: te", "evidence": { "method": "GET", "path": "\/sse", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/sse HTTP\/1.1", "request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:941\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:941\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: te", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ab23806ace3b1fc708e6f6889e2189a8d5a03235", "protocol_details": { "http_method": "GET", "http_path": "\/sse", "request_line": "GET \/sse HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 941, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:941\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: te", "attack_vector": "lfi path traversal \u00b7 via HTTP:941 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse", "target_port_label": "941 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP", "confidence_pct": 59, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 56 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 941, "protocol_emulated": null, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sse", "request_line": "GET \/sse HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 941, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:941 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse", "evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:941\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: te", "target_port_label": "941 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "941" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ] }
15/06/2026 04:36:37 UTC	TCP	29793 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:29793 · (tentative d'exploit) · → /sse	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /sse UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET /sse TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 29793 Chemin / cible /sse Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Risque capteur Moyen · 54 Confiance : Confiance 59 % — 4 tag(s) WAF Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /sse HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /sse HTTP/1.1 Host: 62.3.50.33:29793 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: Requête brute (extrait) GET /sse HTTP/1.1 Host: 62.3.50.33:29793 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: text/event-stream Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "ea468273f7562024ad1252d3489550cd772addba", "http_target_hash": "a86b90c44ea188f3d86201cc14f47bf56d184d49", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 191, "payload_entropy": 5.1834266028895755, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 29793, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.7, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 54, "tag_count": 4, "anomaly_count": 0, "campaign_key": "9b406ef7b395420d1e6eb8e08f5d37b5b04f7e42", "event_fingerprint": "07cf76c9e72c1091f999ed4138e95a34bb7c9a76", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 54 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "59d00f22f9191ce559969f4ba6566b6f", "path_pattern_hash": "9c55a765acd7167a274de1a30a6df566" }, "target_context": { "dst_port": 29793, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:29793\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: ", "method": "GET", "path": "\/sse", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/sse HTTP\/1.1", "request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:29793\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:29793\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:", "evidence": { "method": "GET", "path": "\/sse", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/sse HTTP\/1.1", "request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:29793\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:29793\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "598d2ee489c679ce6b553dd8a1f6b2b3220e72b1", "protocol_details": { "http_method": "GET", "http_path": "\/sse", "request_line": "GET \/sse HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 29793, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:29793\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:", "attack_vector": "lfi path traversal \u00b7 via HTTP:29793 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse", "target_port_label": "29793 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP", "confidence_pct": 59, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 54 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 29793, "protocol_emulated": null, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sse", "request_line": "GET \/sse HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 29793, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:29793 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse", "evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:29793\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:", "target_port_label": "29793 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "29793" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ] }
15/06/2026 04:07:16 UTC	TCP	30380 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:30380 · (tentative d'exploit)	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 30 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 30380 Chemin / cible / Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Risque capteur Moyen · 55 Confiance : Confiance 59 % — 5 tag(s) WAF Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:30380 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:30380 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "5b9779b559c4c8bf35dcfe2a1961a4f721585e0d", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 174, "payload_entropy": 5.1788943808028325, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 30380, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 55, "tag_count": 5, "anomaly_count": 0, "campaign_key": "b7d3adaa25aacfde957c18aedee992f53018fe7a", "event_fingerprint": "34d9df23f8696d77c000e840dcee398045b11273", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 55 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "28c8680cf7fc458665799fc17bcfa0c2", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 30380, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30380\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30380\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30380\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30380\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30380\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b22e48e13791dfee19d123979c18a01cffc623ee", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 30380, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30380\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "attack_vector": "lfi path traversal \u00b7 via HTTP:30380 \u00b7 (tentative d'exploit)", "target_port_label": "30380 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP", "confidence_pct": 59, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 30380, "protocol_emulated": null, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 30380, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:30380 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30380\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "target_port_label": "30380 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF", "confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "30380" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "behavior_alert_count": 1, "behavior_priority": 72 }
15/06/2026 02:38:36 UTC	TCP	26519 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:26519 · (tentative d'exploit) · → /sse	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /sse UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET /sse TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 26519 Chemin / cible /sse Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Risque capteur Moyen · 56 Confiance : Confiance 59 % — 4 tag(s) WAF Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /sse HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /sse HTTP/1.1 Host: 62.3.50.33:26519 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: Requête brute (extrait) GET /sse HTTP/1.1 Host: 62.3.50.33:26519 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: text/event-stream Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "64fb00b364d9e2249c029292fb6250721ab1ff84", "http_target_hash": "a86b90c44ea188f3d86201cc14f47bf56d184d49", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 191, "payload_entropy": 5.16900310811385, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 26519, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.6, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 56, "tag_count": 4, "anomaly_count": 0, "campaign_key": "0ef5811fcfadfd499db3732646a357e3e905be50", "event_fingerprint": "718e3d9a1bff6bfdba9b79da552dd06d6323aeb5", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 56 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "f0db096b677ee6ffe39add6d1db38e25", "path_pattern_hash": "9c55a765acd7167a274de1a30a6df566" }, "target_context": { "dst_port": 26519, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:26519\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: ", "method": "GET", "path": "\/sse", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/sse HTTP\/1.1", "request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:26519\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:26519\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:", "evidence": { "method": "GET", "path": "\/sse", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/sse HTTP\/1.1", "request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:26519\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:26519\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8c9259972c9fbd749fedfb589cd7f39637dbefce", "protocol_details": { "http_method": "GET", "http_path": "\/sse", "request_line": "GET \/sse HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 26519, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:26519\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:", "attack_vector": "lfi path traversal \u00b7 via HTTP:26519 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse", "target_port_label": "26519 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP", "confidence_pct": 59, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 56 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 26519, "protocol_emulated": null, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sse", "request_line": "GET \/sse HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 26519, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:26519 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse", "evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:26519\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:", "target_port_label": "26519 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "26519" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ] }
15/06/2026 00:48:31 UTC	TCP	6760 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:6760 · (tentative d'exploit) · → /mcp	Élevée	Moyen · 60
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole POST /mcp UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 34 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950383:rce-14 950406:ssrf-3 Cible HTTP POST /mcp TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 6760 Chemin / cible /mcp Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 60 Confiance : Confiance 95 % — Motif catalogue confirmé · 5 tag(s) WAF Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL LFI Double-dot bypass Ligne de requête `POST /mcp HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 rce-14 ssrf-3 nosqli-3 Payload (extrait) POST /mcp HTTP/1.1 Host: 62.3.50.33:6760 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content- Requête brute (extrait) POST /mcp HTTP/1.1 Host: 62.3.50.33:6760 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Length: 151 Accept: application/json, text/event-stream Connection: close Content-Type: application/json Mcp-Protocol-Versio Meta JSON brut { "http_header_count": 8, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "42cd3014b80faa6438d50bcec580cabdbe3a8c3d", "http_target_hash": "b6dd5207698ea0722ea3c46de82524f56e66f110", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 447, "payload_entropy": 5.206336872561806, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 6760, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 60, "tag_count": 5, "anomaly_count": 0, "campaign_key": "71e5bd26e7ff0c05806f0f84478b0c0bda90d748", "event_fingerprint": "4027e298ef38536d1c3a00dee4ebd8425b06012b", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842", "pat-0103" ], "matched_pattern_names": [ "CRS 921130 duplicate CL", "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0842", "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 60 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "9a359fcbc2018bb35701818acbb1887f", "path_pattern_hash": "88fe637beab867e285c088d60d6cc3b3" }, "target_context": { "dst_port": 6760, "service": "http", "service_name": "http", "risk_score": 60 }, "payload_preview": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:6760\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-", "method": "POST", "path": "\/mcp", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3" ], "request_line": "POST \/mcp HTTP\/1.1", "request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:6760\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Versio", "payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:6760\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-", "evidence": { "method": "POST", "path": "\/mcp", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3" ], "request_line": "POST \/mcp HTTP\/1.1", "request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:6760\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Versio", "payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:6760\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4d44a91978033d115f483f04a254894b1ee4daeb", "protocol_details": { "http_method": "POST", "http_path": "\/mcp", "request_line": "POST \/mcp HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 6760, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:6760\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-", "attack_vector": "http smuggling probe \u00b7 via HTTP:6760 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp", "target_port_label": "6760 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP", "confidence_pct": 95, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 60 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 60, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 6760, "protocol_emulated": null, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "POST", "http_path": "\/mcp", "request_line": "POST \/mcp HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 6760, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:6760 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp", "evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:6760\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-", "target_port_label": "6760 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "6760" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3" ] }
14/06/2026 22:59:55 UTC	TCP	2746 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:2746 · (tentative d'exploit)	Élevée	Moyen · 57
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 30 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2746 Chemin / cible / Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Risque capteur Moyen · 57 Confiance : Confiance 59 % — 5 tag(s) WAF Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 192.0.2.1 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Conne Requête brute (extrait) GET / HTTP/1.1 Host: 192.0.2.1 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "e7ac7ecd794e71914a63e2cbdca798fceb5afd12", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 144, "payload_entropy": 5.097605644356062, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 2746, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 57, "tag_count": 5, "anomaly_count": 0, "campaign_key": "9f9436dda503d0758fa93ee797a25eb9e1071a42", "event_fingerprint": "7bfd9f649e66b6c61011329282e49b0ef246b906", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 57 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "973598b044a4648e3c3fc5667c0c8ce9", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 2746, "service": "http", "service_name": "http", "risk_score": 57 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConne", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConne", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConne", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2c22ebd8ab0e8ba3bf5e17eee716cc94b96a8262", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 2746, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConne", "attack_vector": "lfi path traversal \u00b7 via HTTP:2746 \u00b7 (tentative d'exploit)", "target_port_label": "2746 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP", "confidence_pct": 59, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 57 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 57, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2746, "protocol_emulated": null, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 2746, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:2746 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConne", "target_port_label": "2746 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF", "confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2746" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
14/06/2026 21:25:15 UTC	TCP	21846 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:21846 · (tentative d'exploit) · → /sse	Élevée	Moyen · 58
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /sse UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET /sse TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 21846 Chemin / cible /sse Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Risque capteur Moyen · 58 Confiance : Confiance 59 % — 4 tag(s) WAF Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /sse HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /sse HTTP/1.1 Host: 62.3.50.33:21846 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: Requête brute (extrait) GET /sse HTTP/1.1 Host: 62.3.50.33:21846 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: text/event-stream Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "f7e06d118991d583cad74c869cf57309e06c8f9a", "http_target_hash": "a86b90c44ea188f3d86201cc14f47bf56d184d49", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 191, "payload_entropy": 5.1834266028895755, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 21846, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 58, "tag_count": 4, "anomaly_count": 0, "campaign_key": "b011dc3cd3c326f7e990c8faf9f984fa56dd4e67", "event_fingerprint": "8319201162a9f6a30621955e148d07003ac8721c", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "fa9bb56dfa97b5804b1bde541fa7d780", "path_pattern_hash": "9c55a765acd7167a274de1a30a6df566" }, "target_context": { "dst_port": 21846, "service": "http", "service_name": "http", "risk_score": 58 }, "payload_preview": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:21846\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: ", "method": "GET", "path": "\/sse", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/sse HTTP\/1.1", "request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:21846\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:21846\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:", "evidence": { "method": "GET", "path": "\/sse", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/sse HTTP\/1.1", "request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:21846\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:21846\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "080b19da9743c3d4544fcf78695222462d56999d", "protocol_details": { "http_method": "GET", "http_path": "\/sse", "request_line": "GET \/sse HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 21846, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:21846\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:", "attack_vector": "lfi path traversal \u00b7 via HTTP:21846 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse", "target_port_label": "21846 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP", "confidence_pct": 59, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 58 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 58, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 21846, "protocol_emulated": null, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sse", "request_line": "GET \/sse HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 21846, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:21846 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse", "evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:21846\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:", "target_port_label": "21846 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "21846" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ] }
14/06/2026 20:48:47 UTC	TCP	16619 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:16619 · (tentative d'exploit) · → /favicon.ico	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0001 TA0001 TA0002 Protocole GET /favicon.ico UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 16619 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 50% Confiance classification 60% Corrélation +10 Risque capteur Moyen · 55 Confiance : Confiance 50 % — 4 tag(s) WAF Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:16619 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:16619 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "c45249e15a5391e6607bf697222438455f55cee2", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 185, "payload_entropy": 5.181179013636723, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 16619, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.9, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 55, "tag_count": 4, "anomaly_count": 0, "campaign_key": "3462472f2aaee2628bc0a0f4cb74de7d8f7919a0", "event_fingerprint": "370c2af15b3e8f4d8fc2f82085f824fa3790ac5a", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence": 0.6, "classification_confidence": 0.6, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 55, "correlation_boost": 10 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "ee2330931c85a8f54a7f958872db1297", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 16619, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:16619\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:16619\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:16619\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:16619\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:16619\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f824ad3bf966a3191426e5283bfc754213956638", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 16619, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:16619\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "attack_vector": "lfi path traversal \u00b7 via HTTP:16619 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/favicon.ico", "target_port_label": "16619 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 60 % \u2014 via HTTP \u2014 campagne \/24 (217.146.80.0\/24)", "confidence_pct": 60, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 55, "correlation_boost": 10 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 16619, "protocol_emulated": null, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 16619, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:16619 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:16619\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "target_port_label": "16619 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 60 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 4 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (217.146.80.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "16619" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "217.146.80.0\/24", "coordinated_ip_count": 7, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ] }
14/06/2026 20:33:37 UTC	TCP	30784 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:30784 · (tentative d'exploit)	Élevée	Moyen · 60
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0001 TA0001 TA0002 Protocole POST / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 37 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950383:rce-14 950406:ssrf-3 Cible HTTP POST / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 30784 Chemin / cible / Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +10 Risque capteur Moyen · 60 Confiance : Confiance 95 % — Motif catalogue confirmé · 6 tag(s) WAF Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL LFI Double-dot bypass Ligne de requête `POST / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 rce-14 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) POST / HTTP/1.1 Host: 62.3.50.33:30784 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Le Requête brute (extrait) POST / HTTP/1.1 Host: 62.3.50.33:30784 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Length: 151 Accept: application/json, text/event-stream Connection: close Content-Type: application/json Mcp-Protocol-Version: Meta JSON brut { "http_header_count": 8, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "759d936dc5f334a3e7c90d238d95e6293a22de27", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 445, "payload_entropy": 5.224100511801283, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 30784, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.3, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 60, "tag_count": 6, "anomaly_count": 0, "campaign_key": "492734c08662510e7f67e10fb238b08013d50aa2", "event_fingerprint": "7718a585aa8a73d5237bfe9ee8d0d326cfc92d7c", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842", "pat-0103" ], "matched_pattern_names": [ "CRS 921130 duplicate CL", "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0842", "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 60, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "46946d9e211bba47bb804851e9b132e9", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 30784, "service": "http", "service_name": "http", "risk_score": 60 }, "payload_preview": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:30784\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:30784\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Version:", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:30784\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "evidence": { "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:30784\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Version:", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:30784\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "14fa44d1b611164ffda7a5c1444ccec4ab42f27f", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 30784, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:30784\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "attack_vector": "http smuggling probe \u00b7 via HTTP:30784 \u00b7 (tentative d'exploit)", "target_port_label": "30784 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne \/24 (217.146.80.0\/24)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 60, "correlation_boost": 10 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 60, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 30784, "protocol_emulated": null, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 30784, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:30784 \u00b7 (tentative d'exploit)", "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:30784\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "target_port_label": "30784 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 6 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (217.146.80.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "30784" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "217.146.80.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
14/06/2026 20:23:50 UTC	TCP	24859 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:24859 · (tentative d'exploit)	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole POST / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 37 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950383:rce-14 950406:ssrf-3 Cible HTTP POST / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 24859 Chemin / cible / Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 64 Confiance : Confiance 95 % — Motif catalogue confirmé · 6 tag(s) WAF Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL LFI Double-dot bypass Ligne de requête `POST / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 rce-14 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) POST / HTTP/1.1 Host: 62.3.50.33:24859 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Le Requête brute (extrait) POST / HTTP/1.1 Host: 62.3.50.33:24859 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Length: 151 Accept: application/json, text/event-stream Connection: close Content-Type: application/json Mcp-Protocol-Version: Meta JSON brut { "http_header_count": 8, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "310cbc7ef394ba66c5423fbee8ecbc21a5f6532d", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 445, "payload_entropy": 5.224461480167377, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 24859, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.6, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 64, "tag_count": 6, "anomaly_count": 0, "campaign_key": "a370d97db39593a2de77f625ac583cde3b4af871", "event_fingerprint": "8fca3021c944efbb9411f9c3f6065a00f5f35b52", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842", "pat-0103" ], "matched_pattern_names": [ "CRS 921130 duplicate CL", "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0842", "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 64 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "1b6136d51a705978973b1997e52e7dec", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 24859, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:24859\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:24859\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Version:", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:24859\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "evidence": { "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:24859\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Version:", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:24859\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c944cc8e94287f6df3dc59f0e459806b671f3755", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 24859, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:24859\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "attack_vector": "http smuggling probe \u00b7 via HTTP:24859 \u00b7 (tentative d'exploit)", "target_port_label": "24859 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP", "confidence_pct": 95, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 64 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 24859, "protocol_emulated": null, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 24859, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:24859 \u00b7 (tentative d'exploit)", "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:24859\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "target_port_label": "24859 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 100 \u00b7 6 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "24859" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
14/06/2026 20:10:15 UTC	TCP	29610 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:29610 · (tentative d'exploit) · → /mcp	Élevée	Moyen · 60
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole POST /mcp UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 34 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950383:rce-14 950406:ssrf-3 Cible HTTP POST /mcp TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 29610 Chemin / cible /mcp Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 60 Confiance : Confiance 95 % — Motif catalogue confirmé · 5 tag(s) WAF Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL LFI Double-dot bypass Ligne de requête `POST /mcp HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 rce-14 ssrf-3 nosqli-3 Payload (extrait) POST /mcp HTTP/1.1 Host: 62.3.50.33:29610 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content Requête brute (extrait) POST /mcp HTTP/1.1 Host: 62.3.50.33:29610 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Length: 151 Accept: application/json, text/event-stream Connection: close Content-Type: application/json Mcp-Protocol-Versi Meta JSON brut { "http_header_count": 8, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "f1f8f53c434f32437d5c0c9987a94858f17d6e3d", "http_target_hash": "b6dd5207698ea0722ea3c46de82524f56e66f110", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 448, "payload_entropy": 5.206293809507522, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 29610, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 60, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ff2821c085b5979ce9ba2e70ca9456f7b5e5a959", "event_fingerprint": "228d2ae37c573ed39d227d41316d6839626979ba", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842", "pat-0103" ], "matched_pattern_names": [ "CRS 921130 duplicate CL", "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0842", "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 60 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "085fb7731593d978b8f210403622afb4", "path_pattern_hash": "88fe637beab867e285c088d60d6cc3b3" }, "target_context": { "dst_port": 29610, "service": "http", "service_name": "http", "risk_score": 60 }, "payload_preview": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:29610\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent", "method": "POST", "path": "\/mcp", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3" ], "request_line": "POST \/mcp HTTP\/1.1", "request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:29610\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Versi", "payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:29610\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent", "evidence": { "method": "POST", "path": "\/mcp", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3" ], "request_line": "POST \/mcp HTTP\/1.1", "request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:29610\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Versi", "payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:29610\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bdc8b7803e2794481dface877d41d7de8190e3c5", "protocol_details": { "http_method": "POST", "http_path": "\/mcp", "request_line": "POST \/mcp HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 29610, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:29610\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent", "attack_vector": "http smuggling probe \u00b7 via HTTP:29610 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp", "target_port_label": "29610 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP", "confidence_pct": 95, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 60 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 60, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 29610, "protocol_emulated": null, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "POST", "http_path": "\/mcp", "request_line": "POST \/mcp HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 29610, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:29610 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp", "evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:29610\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent", "target_port_label": "29610 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "29610" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3" ] }
14/06/2026 20:05:32 UTC	TCP	32256 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:32256 · (tentative d'exploit)	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0001 TA0001 TA0002 Protocole POST / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 37 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950383:rce-14 950406:ssrf-3 Cible HTTP POST / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 32256 Chemin / cible / Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +10 Risque capteur Moyen · 62 Confiance : Confiance 95 % — Motif catalogue confirmé · 6 tag(s) WAF Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL LFI Double-dot bypass Ligne de requête `POST / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 rce-14 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) POST / HTTP/1.1 Host: 62.3.50.33:32256 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Le Requête brute (extrait) POST / HTTP/1.1 Host: 62.3.50.33:32256 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Length: 151 Accept: application/json, text/event-stream Connection: close Content-Type: application/json Mcp-Protocol-Version: Meta JSON brut { "http_header_count": 8, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "a1be992a396eb3ab6fde029de4dcc8da0e0e193f", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 445, "payload_entropy": 5.197865518451378, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 32256, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 62, "tag_count": 6, "anomaly_count": 0, "campaign_key": "c03e2a294b8e01a651580c8ec80115328e75da43", "event_fingerprint": "0ef6a50f949c8f15d7eb7b63ba04e4dee9cf02d6", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842", "pat-0103" ], "matched_pattern_names": [ "CRS 921130 duplicate CL", "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0842", "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 62, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "1b19131d9ad4d0a843c8b512c21d1b98", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 32256, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:32256\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:32256\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Version:", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:32256\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "evidence": { "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:32256\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Version:", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:32256\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2a3b32238ea5aaa210fc15c521336f55cb913e24", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 32256, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:32256\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "attack_vector": "http smuggling probe \u00b7 via HTTP:32256 \u00b7 (tentative d'exploit)", "target_port_label": "32256 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne \/24 (217.146.80.0\/24)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 62, "correlation_boost": 10 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 32256, "protocol_emulated": null, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 32256, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:32256 \u00b7 (tentative d'exploit)", "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:32256\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "target_port_label": "32256 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 6 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (217.146.80.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "32256" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "217.146.80.0\/24", "coordinated_ip_count": 7, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
14/06/2026 20:02:56 UTC	TCP	3938 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:3938 · (tentative d'exploit)	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 30 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3938 Chemin / cible / Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Risque capteur Moyen · 55 Confiance : Confiance 59 % — 5 tag(s) WAF Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:3938 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:3938 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "49efe4d8ff9ef7ae0ca160606e7598bde2c15f14", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 173, "payload_entropy": 5.197114973037234, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 3938, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 1.9, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 55, "tag_count": 5, "anomaly_count": 0, "campaign_key": "e484ce3c6fb02dd2eabfcc45af7e081368543d28", "event_fingerprint": "5e675b690c831f343e6efcbf755fffba8218ca71", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 55 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "14d0b3be16be0785d913ed0b0a351caa", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 3938, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3938\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3938\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3938\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3938\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3938\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b6a7d08b998330484a95f1a74945016c728c9aeb", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 3938, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3938\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "attack_vector": "lfi path traversal \u00b7 via HTTP:3938 \u00b7 (tentative d'exploit)", "target_port_label": "3938 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP", "confidence_pct": 59, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3938, "protocol_emulated": null, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 3938, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:3938 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3938\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "target_port_label": "3938 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF", "confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3938" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
14/06/2026 15:19:51 UTC	TCP	7026 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:7026 · (tentative d'exploit) · → /mcp	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole POST /mcp UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 34 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950383:rce-14 950406:ssrf-3 Cible HTTP POST /mcp TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 7026 Chemin / cible /mcp Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 62 Confiance : Confiance 95 % — Motif catalogue confirmé · 5 tag(s) WAF Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL LFI Double-dot bypass Ligne de requête `POST /mcp HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 rce-14 ssrf-3 nosqli-3 Payload (extrait) POST /mcp HTTP/1.1 Host: 62.3.50.33:7026 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content- Requête brute (extrait) POST /mcp HTTP/1.1 Host: 62.3.50.33:7026 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Length: 151 Accept: application/json, text/event-stream Connection: close Content-Type: application/json Mcp-Protocol-Versio Meta JSON brut { "http_header_count": 8, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "8fdcf14489b990161738aa5d8645f0c01bc01397", "http_target_hash": "b6dd5207698ea0722ea3c46de82524f56e66f110", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 447, "payload_entropy": 5.204279412744034, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 7026, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 62, "tag_count": 5, "anomaly_count": 0, "campaign_key": "2fa5940185c7de48b8aa2f924c28f354a4cc065a", "event_fingerprint": "2714be416c86fd76481af4386f5e7cbc8db2a50c", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842", "pat-0103" ], "matched_pattern_names": [ "CRS 921130 duplicate CL", "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0842", "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 62 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "c41b5f73f19f1e2e271088c701841daf", "path_pattern_hash": "88fe637beab867e285c088d60d6cc3b3" }, "target_context": { "dst_port": 7026, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:7026\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-", "method": "POST", "path": "\/mcp", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3" ], "request_line": "POST \/mcp HTTP\/1.1", "request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:7026\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Versio", "payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:7026\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-", "evidence": { "method": "POST", "path": "\/mcp", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3" ], "request_line": "POST \/mcp HTTP\/1.1", "request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:7026\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Versio", "payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:7026\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6b35a765b4e41ebec4f7b09ab821ae51f3e15483", "protocol_details": { "http_method": "POST", "http_path": "\/mcp", "request_line": "POST \/mcp HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 7026, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:7026\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-", "attack_vector": "http smuggling probe \u00b7 via HTTP:7026 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp", "target_port_label": "7026 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP", "confidence_pct": 95, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 62 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7026, "protocol_emulated": null, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "POST", "http_path": "\/mcp", "request_line": "POST \/mcp HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 7026, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:7026 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp", "evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:7026\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-", "target_port_label": "7026 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7026" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3" ] }
14/06/2026 14:31:08 UTC	TCP	13502 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:13502 · (tentative d'exploit) · → /sse	Élevée	Moyen · 57
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /sse UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET /sse TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 13502 Chemin / cible /sse Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Risque capteur Moyen · 57 Confiance : Confiance 59 % — 4 tag(s) WAF Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /sse HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /sse HTTP/1.1 Host: 62.3.50.33:13502 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: Requête brute (extrait) GET /sse HTTP/1.1 Host: 62.3.50.33:13502 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: text/event-stream Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "3d0ec4ef02686b7e7e646e0bd80be3a68b9ea789", "http_target_hash": "a86b90c44ea188f3d86201cc14f47bf56d184d49", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 191, "payload_entropy": 5.145494076722891, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 13502, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.1, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 57, "tag_count": 4, "anomaly_count": 0, "campaign_key": "c785f5f90d30de00d079a178d859b6c929cd565d", "event_fingerprint": "324e1bb82d0b67fd61b4ab22f309c93b847a61c3", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 57 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "9c97267cd6a540939f17712efc955934", "path_pattern_hash": "9c55a765acd7167a274de1a30a6df566" }, "target_context": { "dst_port": 13502, "service": "http", "service_name": "http", "risk_score": 57 }, "payload_preview": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:13502\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: ", "method": "GET", "path": "\/sse", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/sse HTTP\/1.1", "request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:13502\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:13502\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:", "evidence": { "method": "GET", "path": "\/sse", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/sse HTTP\/1.1", "request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:13502\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:13502\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "aa27f183c6156102373e82d1bf37026c9a1d9bb3", "protocol_details": { "http_method": "GET", "http_path": "\/sse", "request_line": "GET \/sse HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 13502, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:13502\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:", "attack_vector": "lfi path traversal \u00b7 via HTTP:13502 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse", "target_port_label": "13502 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP", "confidence_pct": 59, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 57 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 57, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 13502, "protocol_emulated": null, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sse", "request_line": "GET \/sse HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 13502, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:13502 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse", "evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:13502\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:", "target_port_label": "13502 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "13502" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ] }
14/06/2026 14:12:26 UTC	TCP	18065 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:18065 · (tentative d'exploit) · → /sse	Élevée	Moyen · 58
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0001 TA0001 TA0002 Protocole GET /sse UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET /sse TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 18065 Chemin / cible /sse Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 69% Corrélation +10 Risque capteur Moyen · 58 Confiance : Confiance 59 % — 4 tag(s) WAF Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /sse HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /sse HTTP/1.1 Host: 62.3.50.33:18065 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: Requête brute (extrait) GET /sse HTTP/1.1 Host: 62.3.50.33:18065 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: text/event-stream Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "af9be5badc9c5e9d46eed960b054f19d5e20c974", "http_target_hash": "a86b90c44ea188f3d86201cc14f47bf56d184d49", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 191, "payload_entropy": 5.162484194512611, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 18065, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 58, "tag_count": 4, "anomaly_count": 0, "campaign_key": "37304a322979e195cf246cb0a9d142ed1ddb0fb5", "event_fingerprint": "ef6840ea327c9a1c9b72f8a4ff236fcb6b592132", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.69, "classification_confidence": 0.69, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 58, "correlation_boost": 10 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "8c6b8cc90a31ad496ac0aee28c5c5d6c", "path_pattern_hash": "9c55a765acd7167a274de1a30a6df566" }, "target_context": { "dst_port": 18065, "service": "http", "service_name": "http", "risk_score": 58 }, "payload_preview": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:18065\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: ", "method": "GET", "path": "\/sse", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/sse HTTP\/1.1", "request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:18065\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:18065\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:", "evidence": { "method": "GET", "path": "\/sse", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/sse HTTP\/1.1", "request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:18065\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:18065\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "49183442f2877ebeecebfc052d6a8b624fa1abdc", "protocol_details": { "http_method": "GET", "http_path": "\/sse", "request_line": "GET \/sse HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 18065, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:18065\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:", "attack_vector": "lfi path traversal \u00b7 via HTTP:18065 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse", "target_port_label": "18065 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via HTTP \u2014 campagne \/24 (217.146.80.0\/24)", "confidence_pct": 69, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 58, "correlation_boost": 10 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 58, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 18065, "protocol_emulated": null, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "http_method": "GET", "http_path": "\/sse", "request_line": "GET \/sse HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 18065, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:18065 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse", "evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:18065\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:", "target_port_label": "18065 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 69 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 4 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (217.146.80.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "18065" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "217.146.80.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ] }
14/06/2026 13:39:55 UTC	TCP	19437 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:19437 · (tentative d'exploit)	Élevée	Moyen · 60
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0001 TA0001 TA0002 Protocole POST / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 37 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950383:rce-14 950406:ssrf-3 Cible HTTP POST / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 19437 Chemin / cible / Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +10 Risque capteur Moyen · 60 Confiance : Confiance 95 % — Motif catalogue confirmé · 6 tag(s) WAF Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL LFI Double-dot bypass Ligne de requête `POST / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 rce-14 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) POST / HTTP/1.1 Host: 62.3.50.33:19437 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Le Requête brute (extrait) POST / HTTP/1.1 Host: 62.3.50.33:19437 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Length: 151 Accept: application/json, text/event-stream Connection: close Content-Type: application/json Mcp-Protocol-Version: Meta JSON brut { "http_header_count": 8, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "a657e61fe493d69818288523bc46124d24b8108a", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 445, "payload_entropy": 5.225332526376151, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 19437, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 60, "tag_count": 6, "anomaly_count": 0, "campaign_key": "b8fa4a932ce0913e007d62e7bffeaddcbcce2f1f", "event_fingerprint": "ef61f8dbe0cc236767b6405833b4448cfb155e24", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842", "pat-0103" ], "matched_pattern_names": [ "CRS 921130 duplicate CL", "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0842", "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 60, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "a6fe3e8622cee1af222c59fd243955b2", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 19437, "service": "http", "service_name": "http", "risk_score": 60 }, "payload_preview": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:19437\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:19437\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Version:", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:19437\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "evidence": { "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:19437\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Version:", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:19437\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ba4eb070f904efbfaccd048cfeed1a3cb16f8674", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 19437, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:19437\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "attack_vector": "http smuggling probe \u00b7 via HTTP:19437 \u00b7 (tentative d'exploit)", "target_port_label": "19437 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne \/24 (217.146.80.0\/24)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 60, "correlation_boost": 10 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 60, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 19437, "protocol_emulated": null, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 19437, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:19437 \u00b7 (tentative d'exploit)", "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:19437\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le", "target_port_label": "19437 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 6 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (217.146.80.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "19437" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "217.146.80.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
13/06/2026 21:29:29 UTC	TCP	6516 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:6516 · (tentative d'exploit) · → /favicon.ico	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /favicon.ico UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 6516 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 55 Confiance : Confiance 50 % — 4 tag(s) WAF Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:6516 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) A Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:6516 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "12108336434709463f379dc7d9bda3e98056d426", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 184, "payload_entropy": 5.1652320663806535, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 6516, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.4, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 55, "tag_count": 4, "anomaly_count": 0, "campaign_key": "a4d4c91a0156678ee1475665f7cc08edfb1f79dd", "event_fingerprint": "a313978d3b5fafa8dafb934955e417a3b8ad4742", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence": 0.5, "classification_confidence": 0.5, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 55 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "231335bdee99fb7b7693e492af942521", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 6516, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:6516\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nA", "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:6516\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:6516\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nA", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:6516\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:6516\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nA", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f72cbd380dd8339f0316da67dcc22f4a065664d2", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 6516, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:6516\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nA", "attack_vector": "lfi path traversal \u00b7 via HTTP:6516 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/favicon.ico", "target_port_label": "6516 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 50 % \u2014 via HTTP", "confidence_pct": 50, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 6516, "protocol_emulated": null, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 6516, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:6516 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:6516\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nA", "target_port_label": "6516 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "6516" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "behavior_alert_count": 1, "behavior_priority": 84 }
13/06/2026 19:15:59 UTC	TCP	6632 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:6632 · (tentative d'exploit) · → /sse	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /sse UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET /sse TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 6632 Chemin / cible /sse Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Risque capteur Moyen · 59 Confiance : Confiance 59 % — 4 tag(s) WAF Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /sse HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /sse HTTP/1.1 Host: 62.3.50.33:6632 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: t Requête brute (extrait) GET /sse HTTP/1.1 Host: 62.3.50.33:6632 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: text/event-stream Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "85f4896fe3794efb15386fa7bea9a1418322d8ba", "http_target_hash": "a86b90c44ea188f3d86201cc14f47bf56d184d49", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 190, "payload_entropy": 5.148753963567358, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 6632, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 6, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 59, "tag_count": 4, "anomaly_count": 0, "campaign_key": "39f217e41b222eb7e7ab3a4b764b1f42ea69db0c", "event_fingerprint": "5de581c1e96fcf33fc240e6e0a57be6a424e2f31", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 59 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "baa07d5f990e06e474bcac2d30650199", "path_pattern_hash": "9c55a765acd7167a274de1a30a6df566" }, "target_context": { "dst_port": 6632, "service": "http", "service_name": "http", "risk_score": 59 }, "payload_preview": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:6632\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: t", "method": "GET", "path": "\/sse", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/sse HTTP\/1.1", "request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:6632\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:6632\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: t", "evidence": { "method": "GET", "path": "\/sse", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/sse HTTP\/1.1", "request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:6632\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:6632\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: t", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "53f8a55ff539621fe6a1790c568515b24e487a97", "protocol_details": { "http_method": "GET", "http_path": "\/sse", "request_line": "GET \/sse HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 6632, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:6632\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: t", "attack_vector": "lfi path traversal \u00b7 via HTTP:6632 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse", "target_port_label": "6632 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP", "confidence_pct": 59, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 6632, "protocol_emulated": null, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sse", "request_line": "GET \/sse HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 6632, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:6632 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse", "evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:6632\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: t", "target_port_label": "6632 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "6632" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ] }
13/06/2026 15:00:10 UTC	TCP	22923 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:22923 · (tentative d'exploit) · → /favicon.ico	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /favicon.ico UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 22923 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 56 Confiance : Confiance 50 % — 4 tag(s) WAF Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:22923 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:22923 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "26e2179c82ed19cc40577c483f78dc36314d4ee0", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 185, "payload_entropy": 5.18314943513186, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 22923, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.6, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 56, "tag_count": 4, "anomaly_count": 0, "campaign_key": "23a0e680cb0841aecd9c5cf35f50abf2b71ff812", "event_fingerprint": "ad5b8f20d2e384a559c5486bd1dcc21806063af4", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence": 0.5, "classification_confidence": 0.5, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 56 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "6f897bd586e02571b3e417f33c1eb37c", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 22923, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:22923\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:22923\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:22923\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:22923\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:22923\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bb890697426bf39adfca3863adf61c07a7e2e8f2", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 22923, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:22923\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "attack_vector": "lfi path traversal \u00b7 via HTTP:22923 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/favicon.ico", "target_port_label": "22923 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 50 % \u2014 via HTTP", "confidence_pct": 50, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 56 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 22923, "protocol_emulated": null, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 22923, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:22923 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:22923\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "target_port_label": "22923 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "22923" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ] }
05/06/2026 08:31:45 UTC	TCP	25016	http	Traversal LFI	Élevée	Moyen · 59
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 25016 Chemin / cible /favicon.ico Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:25016 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:25016 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "973b2607a89a53e513d5f4f63500847beaaf600a", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 185, "payload_entropy": 5.172338624321049, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 25016, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 59, "tag_count": 4, "anomaly_count": 0, "campaign_key": "9e2f8ca8dc45e37cf963ed0e587bf1c1927b4afd", "event_fingerprint": "f9edde8bca6a3a5c88459c5a9cc65f9a883e962a", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "classification_parent": "path_traversal", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "993eb0256a83ba20688bd9da38b2768e", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 25016, "service": "http" }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:25016\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:25016\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:25016\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:25016\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:25016\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4203b08fe8bd103631e5af1e1596e1f879ae29a7", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ] }
04/06/2026 13:22:35 UTC	TCP	29069	http	web attack	Élevée	Moyen · 63
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 29069 Chemin / cible /favicon.ico Confiance classification 92% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:29069 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "021ef8317547a8fa0778b4f76389a346a4e571ea", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 185, "payload_entropy": 5.19396024594267, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 29069, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bbf586c124db7f9954174b119cc5a8260fe1e027", "event_fingerprint": "167f86e0bd9e66fa09df06385bc83990e30c6d0a", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "34ae6179819aed3869e53632030f894c", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 29069, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.92, "classification_confidence": 0.92, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:29069\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\n", "event_signature": "1a4a3accc9a19e5a8b18d53b6cbc843df3cc0b2f", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ] }
04/06/2026 11:28:50 UTC	TCP	27306	http	web attack	Élevée	Moyen · 64
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 30 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 27306 Chemin / cible / Confiance classification 95% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:27306 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "a15e49995c1fafdc99a737b1c50448cc32311b62", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 174, "payload_entropy": 5.197395995451532, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 27306, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 64, "tag_count": 5, "anomaly_count": 0, "campaign_key": "c87782d4b312cad6b04791fc8a3a35dd7bcb9ee2", "event_fingerprint": "f7d2d8a8143cfdba34bdb895a3466a3d2b51d599", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "2009c2593c57c4276408cff69f0b6e0a", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 27306, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.95, "classification_confidence": 0.95, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:27306\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "event_signature": "90610b509f175357369959bebce1b9cdb39c2f29", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
01/06/2026 18:57:58 UTC	TCP	16336	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
01/06/2026 18:38:48 UTC	TCP	25112	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
01/06/2026 15:28:22 UTC	TCP	3757	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
01/06/2026 15:06:05 UTC	TCP	8222	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
01/06/2026 15:05:38 UTC	TCP	23968	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
01/06/2026 10:05:23 UTC	TCP	14207	http	web attack	Élevée	Critique · 100
Étape — WAF 30 Recommandation — Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 14207 Chemin / cible / Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "f0593655ce601597e09ab4e4ff15b983b58b90eb", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 174, "payload_entropy": 5.208890248325095, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "tag_count": 5, "anomaly_count": 0, "risk_score": 100, "campaign_key": "876e68e651049c1cacf5d5a9bb50d2d9411a9db0", "event_fingerprint": "52e9440b977fa844f94d7a9631ee8387cc9c5757", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
01/06/2026 09:53:25 UTC	TCP	19007	http	web attack	Élevée	Critique · 100
Étape — WAF 30 Recommandation — Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 19007 Chemin / cible / Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "a72290948c20d976d876a2fd92be6b51cf92b6c5", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 174, "payload_entropy": 5.199639441000746, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "tag_count": 5, "anomaly_count": 0, "risk_score": 100, "campaign_key": "d90fbd356b6ae153f3c0f8f0d08534215109696e", "event_fingerprint": "9aa46af43fad4a6b1b47fa078c4985473f86a874", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }

217.146.80.103

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence