Détails IP 3.19.185.206

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « port_probe » (signaux protocolaires) · confiance 0%

Confiance 8 % — Score WAF 8 · Bonus corrélation +8

Comparaison ASN / FAI

ASN 16509 · 3.16.0.0/14 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 7 événements sur la période pour cette IP.

3.144.124.187 Sonde port 16/06/2026 03:55 UTC
18.223.238.91 Sonde PostgreSQL 16/06/2026 03:55 UTC
3.22.234.62 modbus probe 16/06/2026 03:53 UTC
18.222.36.198 Sonde PostgreSQL 16/06/2026 03:33 UTC
18.219.222.72 Tentative d'exploit 16/06/2026 03:26 UTC
44.242.168.234 Tentative d'exploit 16/06/2026 02:50 UTC
18.223.187.139 Sonde PostgreSQL 16/06/2026 02:39 UTC
13.59.6.180 Sonde port 143/TCP 16/06/2026 02:37 UTC

IPs apparentées

Même FAI Amazon.com, Inc. — corrélation indicative.

3.144.124.187 Sonde port
18.223.238.91 Sonde PostgreSQL
3.22.234.62 modbus probe
18.222.36.198 Sonde PostgreSQL
18.219.222.72 Tentative d'exploit

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

REDIS TCP 4 HTTP TCP 1 TLS TCP 1

REDIS

4

HTTP

1

TLS

1

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

De

À

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Chronologie des événements

7 événement(s) — page 1/1

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
16/06/2026 02:37:02 UTC	TCP	8728	—	Sonde port Sonde port · port 8728 · (sonde / probe)	Faible	Faible · 33
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8728 Chemin / cible — Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 0% Confiance classification 8% Corrélation +8 Risque capteur Faible · 33 Confiance : Confiance faible (0 %) — classification prudente Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Amazon.com, Inc.", "service": null, "app_proto": null, "asn": 16509, "country": "US", "dst_port": 8728, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 0 }, "risk_score": 33, "tag_count": 0, "anomaly_count": 0, "campaign_key": "e98149b7ab98674a01d07fe41cd3896d1e59139a", "event_fingerprint": "7104ee8aaba85431751da15c485717a052fd7175", "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0.08, "classification_confidence": 0.08, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 0, "risk_score": 33, "correlation_boost": 8 }, "named_classification_skipped": false, "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d" }, "target_context": { "dst_port": 8728, "risk_score": 33 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "09f50e2dcde3c10b851a5492c58cfd40f5689eb7", "protocol_details": { "port": 8728 }, "attack_vector": "Sonde port \u00b7 port 8728 \u00b7 (sonde \/ probe)", "target_port_label": "8728", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 33\/100", "confidence_pct": 8, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 0, "risk_score": 33, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 33, "risk_label": "Faible", "service_name": null, "service_label_fr": null, "dst_port": 8728, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "port": 8728 }, "attack_vector": "Sonde port \u00b7 port 8728 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "8728", "emulator_service": null, "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "confidence_factors_fr": "Confiance 8 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "8728" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 4, "multi_protocol_sample": [ "http", "port:8728", "redis", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "asn_dc_heuristic": true }
16/06/2026 02:36:36 UTC	TCP	6379 · REDIS	redis	Sonde PostgreSQL postgres probe · via REDIS:6379 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 35fa0a83e466acbe Sonde protocole Redis Émulateur REDIS WAF — Recommandation Surveiller Tags net_redis_probe redis_emulated tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 6379 Chemin / cible — Service REDIS Redis Sonde protocole Redis Payload ��{j�uy�&�zcgza�(�� u/�� ;x6�[z�`��[d�\x��@d�� >_I&̨̩�/�0�+�,�� /5� { Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 40 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��{j�uy�&�zcgza�(��u/�� ;x6�[z�`��[d�\x��@d�� >_I&̨̩�/�0�+�,�� /5� { Requête brute (extrait) ��{j�uy�&�zcgza�(�� u/�� ;x6�[z�`��[d�\x��@d�� >_I&̨̩�/�0�+�,�� /5� { �+ 3&$ r`� +�"�$�\�+P{�ۚ�n�ىF��Uo Meta JSON brut { "protocol_emulated": true, "emulator_response": "2d4e4f415554482041757468656e7469636174696f6e2072657175697265642e0d0a", "emulator_response_len": 34, "bytes_in": 243, "payload_entropy": 5.761663568812538, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "redis", "app_proto": "redis", "asn": 16509, "country": "US", "dst_port": 6379, "risk_waf": 8, "risk_classification": 36, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 36, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 15 }, "risk_score": 40, "tag_count": 3, "anomaly_count": 0, "campaign_key": "cc777f011dca1c47dcd5ed00da4418db0ec70ea5", "event_fingerprint": "9c536ce82edfb6f83700eeb7934e9ac49a41747b", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 15, "risk_score": 40, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "redis", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "e9d350c6e6eae1a31129288f1e853ece", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "35fa0a83e466acbec1cfbb9016d550ab", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "35fa0a83e466acbec1cfbb9016d550ab", "tls_ja3": "771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 6379, "service": "redis", "service_name": "redis", "risk_score": 40 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd{j\u0017\u0014\ufffduy\u0010\ufffd&\ufffdzcgza\ufffd\u0016\u001c\u001f(\ufffd\ufffd\f\ufffdu\/\ufffd\ufffd\ufffd\ufffd \ufffd;x6\ufffd[z\ufffd`\ufffd\ufffd[\u001ad\ufffd\\\u000ex\ufffd\u000e\ufffd@d\ufffd\u001c\ufffd\ufffd\t>_\u0000I\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd{j\u0017\u0014\ufffduy\u0010\ufffd&\ufffdzcgza\ufffd\u0016\u001c\u001f(\ufffd\ufffd\f\ufffdu\/\ufffd\ufffd\ufffd\ufffd \ufffd;x6\ufffd[z\ufffd`\ufffd\ufffd[\u001ad\ufffd\\\u000ex\ufffd\u000e\ufffd@d\ufffd\u001c\ufffd\ufffd\t>_\u0000I\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 r`\ufffd\f+\ufffd\"\ufffd\u001d\u0013$\ufffd\\\ufffd+P{\ufffd\u06da\ufffdn\ufffd\u0649F\u0001\ufffd\ufffdUo", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd{j\u0017\u0014\ufffduy\u0010\ufffd&\ufffdzcgza\ufffd\u0016\u001c\u001f(\ufffd\ufffd\f\ufffdu\/\ufffd\ufffd\ufffd\ufffd \ufffd;x6\ufffd[z\ufffd`\ufffd\ufffd[\u001ad\ufffd\\\u000ex\ufffd\u000e\ufffd@d\ufffd\u001c\ufffd\ufffd\t>_\u0000I\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c8b7d84e16b874223d9553042991e6ecfe364a77", "protocol_details": { "redis_command_fr": "Sonde protocole Redis", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd{j\u0017\u0014\ufffduy\u0010\ufffd&\ufffdzcgza\ufffd\u0016\u001c\u001f(\ufffd\ufffd\f\ufffdu\/\ufffd\ufffd\ufffd\ufffd \ufffd;x6\ufffd[z\ufffd`\ufffd\ufffd[\u001ad\ufffd\\\u000ex\ufffd\u000e\ufffd@d\ufffd\u001c\ufffd\ufffd\t>_\u0000I\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 6379, "service": "redis", "service_label_fr": "REDIS" }, "evidence_snippet": "\ufffd\ufffd\ufffd{j\ufffduy\ufffd&\ufffdzcgza\ufffd(\ufffd\ufffd\ufffdu\/\ufffd\ufffd\ufffd\ufffd \ufffd;x6\ufffd[z\ufffd`\ufffd\ufffd[d\ufffd\\x\ufffd\ufffd@d\ufffd\ufffd\ufffd\t>_I&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{", "attack_vector": "postgres probe \u00b7 via REDIS:6379 \u00b7 (sonde \/ probe)", "target_port_label": "6379 \u00b7 REDIS", "emulator_service": "redis", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 15, "risk_score": 40, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "redis", "service_label_fr": "REDIS", "dst_port": 6379, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Redis 7.0", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "redis_command_fr": "Sonde protocole Redis", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd{j\u0017\u0014\ufffduy\u0010\ufffd&\ufffdzcgza\ufffd\u0016\u001c\u001f(\ufffd\ufffd\f\ufffdu\/\ufffd\ufffd\ufffd\ufffd \ufffd;x6\ufffd[z\ufffd`\ufffd\ufffd[\u001ad\ufffd\\\u000ex\ufffd\u000e\ufffd@d\ufffd\u001c\ufffd\ufffd\t>_\u0000I\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 6379, "service": "redis", "service_label_fr": "REDIS" }, "attack_vector": "postgres probe \u00b7 via REDIS:6379 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd{j\ufffduy\ufffd&\ufffdzcgza\ufffd(\ufffd\ufffd\ufffdu\/\ufffd\ufffd\ufffd\ufffd \ufffd;x6\ufffd[z\ufffd`\ufffd\ufffd[d\ufffd\\x\ufffd\ufffd@d\ufffd\ufffd\ufffd\t>_I&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{", "target_port_label": "6379 \u00b7 REDIS", "emulator_service": "redis", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "redis", "service_banner": "Redis 7.0", "service_os": "linux", "dst_port": "6379" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "redis", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_redis_probe", "redis_emulated", "tls_clienthello" ], "asn_dc_heuristic": true }
16/06/2026 02:36:34 UTC	TCP	6379 · REDIS	redis	Sonde port 6379/TCP port 6379 tcp · via REDIS:6379 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole Commande Redis : *1 Émulateur REDIS WAF — Recommandation Surveiller Tags net_redis_probe redis_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 6379 Chemin / cible — Preuve honeypot — Sonde port 6379/TCP Connexion détectée sur le port 6379 (TCP) du capteur simulé. Service REDIS Redis Commande Redis : 1 Payload 1 $4 PING Pourquoi cette classification : Type « port_6379_tcp » (signaux protocolaires) · confiance 55% Confiance classification 63% Corrélation +8 Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Redis PING RESP User-Agent — Règles WAF — Payload (extrait) 1 $4 PING Meta JSON brut { "protocol_emulated": true, "emulator_response": "2d4e4f415554482041757468656e7469636174696f6e2072657175697265642e0d0a", "emulator_response_len": 34, "bytes_in": 14, "payload_entropy": 3.128085278891395, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "redis", "app_proto": "redis", "asn": 16509, "country": "US", "dst_port": 6379, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "b10303bd0e441f9f60f46376cbc4ca72292b5068", "event_fingerprint": "9c536ce82edfb6f83700eeb7934e9ac49a41747b", "classification_reason": "Type \u00ab port_6379_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.63, "classification_confidence": 0.63, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "matched_patterns": [ "pat-0414" ], "matched_pattern_names": [ "Redis PING RESP" ], "pattern_ids": [ "pat-0414" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 8 }, "named_classification_skipped": true, "named_candidate": "redis_probe", "service_name": "redis", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "a43cb6a3b9d261112714d00e36b33106", "path_pattern_hash": "42eb67f6877c6439dbde87dd6ec1f324" }, "target_context": { "dst_port": 6379, "service": "redis", "service_name": "redis", "risk_score": 42 }, "payload_preview": "1\r\n$4\r\nPING\r\n", "request_sample": "1\r\n$4\r\nPING\r\n", "payload_snippet": "1\r\n$4\r\nPING", "evidence": { "request_sample": "1\r\n$4\r\nPING\r\n", "payload_snippet": "1\r\n$4\r\nPING", "classification_reason": "Type \u00ab port_6379_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bb6c7015c5a55c8ee4d3064ed778f3ffa5d9b456", "protocol_details": { "redis_command_fr": "Commande Redis : 1", "payload_preview": "1\r\n$4\r\nPING", "port": 6379, "service": "redis", "service_label_fr": "REDIS" }, "evidence_snippet": "1\r\n$4\r\nPING", "attack_vector": "port 6379 tcp \u00b7 via REDIS:6379 \u00b7 (sonde \/ probe)", "target_port_label": "6379 \u00b7 REDIS", "emulator_service": "redis", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_6379_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_6379_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 63, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "redis", "service_label_fr": "REDIS", "dst_port": 6379, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Redis 7.0", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "redis_command_fr": "Commande Redis : 1", "payload_preview": "1\r\n$4\r\nPING", "port": 6379, "service": "redis", "service_label_fr": "REDIS" }, "attack_vector": "port 6379 tcp \u00b7 via REDIS:6379 \u00b7 (sonde \/ probe)", "evidence_snippet": "1\r\n$4\r\nPING", "target_port_label": "6379 \u00b7 REDIS", "emulator_service": "redis", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 63 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "redis", "service_banner": "Redis 7.0", "service_os": "linux", "dst_port": "6379" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "redis", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_redis_probe", "redis_emulated" ], "asn_dc_heuristic": true }
16/06/2026 02:36:17 UTC	TCP	8728 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:8728 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 7c1e207beb00684b Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8728 Chemin / cible — Service TLS Payload ��( J�3_#:`�^ͪ�w��>��5ݱy)l� S��A(�6�g`��޼Q��؀Y��<��&̨̩�/�0�+�,�� /5� � Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��(J�3_#:`�^ͪ�w��>��5ݱy)l� S��A(�6�g`��޼Q��؀Y��<��&̨̩�/�0�+�,�� /5� � Requête brute (extrait) ��( J�3_#:`�^ͪ�w��>��5ݱy)l� S��A(�6�g`��޼Q��؀Y��<��&̨̩�/�0�+�,�� /5� � � h2http/1.1+ 3&$ ��(��̆g�}D,ޟ^ق�;,+-r;� Meta JSON brut { "tls_ja3_hash": "7c1e207beb00684bbbe144f1b0abe1d5", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "tls_alpn": [ "h2", "http\/1.1" ], "bytes_in": 261, "payload_entropy": 5.92263769164128, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "tls", "app_proto": "tls", "asn": 16509, "country": "US", "dst_port": 8728, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 3.8, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "560b7efe274ad7042f8ee52930af1cb26fcc2f60", "event_fingerprint": "421949bfd9626ee2a36d74822f4634c16ef80fcd", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "7c1e207beb00684bbbe144f1b0abe1d5", "payload_hash": "1d88104e56514299cb6e7c60e74bb2eb", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 8728, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\u0016\ufffd(\u000bJ\u0007\ufffd3_#:`\ufffd^\u036a\ufffdw\ufffd\ufffd>\ufffd\ufffd5\b\u0771y)l\ufffd\u001a S\ufffd\ufffd\ufffd\ufffdA(\ufffd6\ufffdg`\ufffd\u0014\ufffd\u07bcQ\ufffd\ufffd\ufffd\u0600Y\ufffd\ufffd<\ufffd\ufffd\u0019\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\u0016\ufffd(\u000bJ\u0007\ufffd3_#:`\ufffd^\u036a\ufffdw\ufffd\ufffd>\ufffd\ufffd5\b\u0771y)l\ufffd\u001a S\ufffd\ufffd\ufffd\ufffdA(\ufffd6\ufffdg`\ufffd\u0014\ufffd\u07bcQ\ufffd\ufffd\ufffd\u0600Y\ufffd\ufffd<\ufffd\ufffd\u0019\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0010\u0000\u000e\u0000\f\u0002h2\bhttp\/1.1\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffd(\ufffd\ufffd\u0306g\u001d\ufffd}D,\u079f^\u0642\ufffd;,+-r;\ufffd", "payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\u0016\ufffd(\u000bJ\u0007\ufffd3_#:`\ufffd^\u036a\ufffdw\ufffd\ufffd>\ufffd\ufffd5\b\u0771y)l\ufffd\u001a S\ufffd\ufffd\ufffd\ufffdA(\ufffd6\ufffdg`\ufffd\u0014\ufffd\u07bcQ\ufffd\ufffd\ufffd\u0600Y\ufffd\ufffd<\ufffd\ufffd\u0019\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "33a74a7213578e0b2b700b3740404791dc85577f", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\u0016\ufffd(\u000bJ\u0007\ufffd3_#:`\ufffd^\u036a\ufffdw\ufffd\ufffd>\ufffd\ufffd5\b\u0771y)l\ufffd\u001a S\ufffd\ufffd\ufffd\ufffdA(\ufffd6\ufffdg`\ufffd\u0014\ufffd\u07bcQ\ufffd\ufffd\ufffd\u0600Y\ufffd\ufffd<\ufffd\ufffd\u0019\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "7c1e207beb00684bbbe144f1b0abe1d5", "port": 8728, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd(J\ufffd3_#:`\ufffd^\u036a\ufffdw\ufffd\ufffd>\ufffd\ufffd5\u0771y)l\ufffd S\ufffd\ufffd\ufffd\ufffdA(\ufffd6\ufffdg`\ufffd\ufffd\u07bcQ\ufffd\ufffd\ufffd\u0600Y\ufffd\ufffd<\ufffd\ufffd\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd", "attack_vector": "postgres probe \u00b7 via TLS:8728 \u00b7 (sonde \/ probe)", "target_port_label": "8728 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 8728, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\u0016\ufffd(\u000bJ\u0007\ufffd3_#:`\ufffd^\u036a\ufffdw\ufffd\ufffd>\ufffd\ufffd5\b\u0771y)l\ufffd\u001a S\ufffd\ufffd\ufffd\ufffdA(\ufffd6\ufffdg`\ufffd\u0014\ufffd\u07bcQ\ufffd\ufffd\ufffd\u0600Y\ufffd\ufffd<\ufffd\ufffd\u0019\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "7c1e207beb00684bbbe144f1b0abe1d5", "port": 8728, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:8728 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd(J\ufffd3_#:`\ufffd^\u036a\ufffdw\ufffd\ufffd>\ufffd\ufffd5\u0771y)l\ufffd S\ufffd\ufffd\ufffd\ufffdA(\ufffd6\ufffdg`\ufffd\ufffd\u07bcQ\ufffd\ufffd\ufffd\u0600Y\ufffd\ufffd<\ufffd\ufffd\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd", "target_port_label": "8728 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "8728" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "redis", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
16/06/2026 02:35:50 UTC	TCP	8728 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:8728 · (tentative d'exploit)	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET / UA visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10… Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8728 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 70% Corrélation +8 Risque capteur Moyen · 51 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8728 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/ Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8728 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "6bd3154a88ac556741885ed569cfb89736385db4", "http_host_hash": "261a4adf90d8ced3ef11173e26148fe8ecb06636", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 191, "payload_entropy": 5.295329159959702, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "US", "dst_port": 8728, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 51, "tag_count": 3, "anomaly_count": 0, "campaign_key": "c920204440f41ab9ef786a5de9bcb5131b69e0ed", "event_fingerprint": "6803d4af34f405f880a6b0f9e5ff7e63d7e4bf16", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.7, "classification_confidence": 0.7, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "cb226636f11f4f631f065fb419a8bab8", "payload_hash": "0a35fd9ba2d9aa3ecc163e0917da678c", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8728, "service": "http", "service_name": "http", "risk_score": 51 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8728\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "method": "GET", "path": "\/", "user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8728\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8728\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "evidence": { "method": "GET", "path": "\/", "user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8728\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8728\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "443bbb405af73ca771c6290848206263434b695e", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36", "port": 8728, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8728\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "attack_vector": "exploit attempt \u00b7 via HTTP:8728 \u00b7 (tentative d'exploit)", "target_port_label": "8728 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 70 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 70, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8728, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36", "port": 8728, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:8728 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8728\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "target_port_label": "8728 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 70 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8728" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "redis" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 96 }
16/06/2026 02:35:45 UTC	TCP	6379 · REDIS	redis	Sonde PostgreSQL postgres probe · via REDIS:6379 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Sonde protocole Redis Émulateur REDIS WAF — Recommandation Surveiller Tags net_redis_probe redis_emulated tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 6379 Chemin / cible — Service REDIS Redis Sonde protocole Redis Payload �pAc}Q&@T�LGIߪ�ٜ+��e��\|��r�� kf��F኿%1�i�-��,W&̨̩�/�0�+�,�� /5� � Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 40 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) �pAc}Q&@T�LGIߪ�ٜ+��e��\|��r�� kf��F኿%1�i�-��,W&̨̩�/�0�+�,�� /5� � Requête brute (extrait) �pAc}Q&@T�LGIߪ�ٜ+��e��\|��r�� kf��F኿%1�i�-��,W&̨̩�/�0�+�,�� /5� � � h2http/1.1+ 3&$ �%E�L��N0\��@x��.�U�� Meta JSON brut { "protocol_emulated": true, "emulator_response": "2d4e4f415554482041757468656e7469636174696f6e2072657175697265642e0d0a", "emulator_response_len": 34, "bytes_in": 261, "payload_entropy": 5.9706909027278625, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "redis", "app_proto": "redis", "asn": 16509, "country": "US", "dst_port": 6379, "risk_waf": 8, "risk_classification": 36, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 36, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 15 }, "risk_score": 40, "tag_count": 3, "anomaly_count": 0, "campaign_key": "cc777f011dca1c47dcd5ed00da4418db0ec70ea5", "event_fingerprint": "9c536ce82edfb6f83700eeb7934e9ac49a41747b", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "redis", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "67bfb76b1723776a951bf4af2e01dc90", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 6379, "service": "redis", "service_name": "redis", "risk_score": 40 }, "payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003pAc}\u001dQ&@T\ufffdLGI\u07ea\ufffd\u065c+\ufffd\ufffde\ufffd\ufffd\ufffd\|\ufffd\ufffdr\ufffd\ufffd\ufffd \ufffd\u0010\ufffdkf\u0016\ufffd\u001e\ufffd\ufffdF\u12bf%1\ufffdi\ufffd-\ufffd\u0001\u0002\ufffd\ufffd\ufffd\ufffd\u0014\ufffd,W\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003pAc}\u001dQ&@T\ufffdLGI\u07ea\ufffd\u065c+\ufffd\ufffde\ufffd\ufffd\ufffd\|\ufffd\ufffdr\ufffd\ufffd\ufffd \ufffd\u0010\ufffdkf\u0016\ufffd\u001e\ufffd\ufffdF\u12bf%1\ufffdi\ufffd-\ufffd\u0001\u0002\ufffd\ufffd\ufffd\ufffd\u0014\ufffd,W\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0010\u0000\u000e\u0000\f\u0002h2\bhttp\/1.1\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd%E\ufffdL\ufffd\ufffdN0\\\u001e\ufffd\ufffd\ufffd\u0010@x\ufffd\ufffd\u0015.\ufffdU\u0004\ufffd\ufffd\ufffd", "payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003pAc}\u001dQ&@T\ufffdLGI\u07ea\ufffd\u065c+\ufffd\ufffde\ufffd\ufffd\ufffd\|\ufffd\ufffdr\ufffd\ufffd\ufffd \ufffd\u0010\ufffdkf\u0016\ufffd\u001e\ufffd\ufffdF\u12bf%1\ufffdi\ufffd-\ufffd\u0001\u0002\ufffd\ufffd\ufffd\ufffd\u0014\ufffd,W\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e5f0a2e676574aa5f06e810ac842d4313c38ef24", "protocol_details": { "redis_command_fr": "Sonde protocole Redis", "payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003pAc}\u001dQ&@T\ufffdLGI\u07ea\ufffd\u065c+\ufffd\ufffde\ufffd\ufffd\ufffd\|\ufffd\ufffdr\ufffd\ufffd\ufffd \ufffd\u0010\ufffdkf\u0016\ufffd\u001e\ufffd\ufffdF\u12bf%1\ufffdi\ufffd-\ufffd\u0001\u0002\ufffd\ufffd\ufffd\ufffd\u0014\ufffd,W\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "port": 6379, "service": "redis", "service_label_fr": "REDIS" }, "evidence_snippet": "\ufffdpAc}Q&@T\ufffdLGI\u07ea\ufffd\u065c+\ufffd\ufffde\ufffd\ufffd\ufffd\|\ufffd\ufffdr\ufffd\ufffd\ufffd \ufffd\ufffdkf\ufffd\ufffd\ufffdF\u12bf%1\ufffdi\ufffd-\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd,W&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd", "attack_vector": "postgres probe \u00b7 via REDIS:6379 \u00b7 (sonde \/ probe)", "target_port_label": "6379 \u00b7 REDIS", "emulator_service": "redis", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "redis", "service_label_fr": "REDIS", "dst_port": 6379, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Redis 7.0", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "redis_command_fr": "Sonde protocole Redis", "payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003pAc}\u001dQ&@T\ufffdLGI\u07ea\ufffd\u065c+\ufffd\ufffde\ufffd\ufffd\ufffd\|\ufffd\ufffdr\ufffd\ufffd\ufffd \ufffd\u0010\ufffdkf\u0016\ufffd\u001e\ufffd\ufffdF\u12bf%1\ufffdi\ufffd-\ufffd\u0001\u0002\ufffd\ufffd\ufffd\ufffd\u0014\ufffd,W\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "port": 6379, "service": "redis", "service_label_fr": "REDIS" }, "attack_vector": "postgres probe \u00b7 via REDIS:6379 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffdpAc}Q&@T\ufffdLGI\u07ea\ufffd\u065c+\ufffd\ufffde\ufffd\ufffd\ufffd\|\ufffd\ufffdr\ufffd\ufffd\ufffd \ufffd\ufffdkf\ufffd\ufffd\ufffdF\u12bf%1\ufffdi\ufffd-\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd,W&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd", "target_port_label": "6379 \u00b7 REDIS", "emulator_service": "redis", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "redis", "service_banner": "Redis 7.0", "service_os": "linux", "dst_port": "6379" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_redis_probe", "redis_emulated", "tls_clienthello" ], "asn_dc_heuristic": true }
16/06/2026 02:35:40 UTC	TCP	6379 · REDIS	redis	Sonde port 6379/TCP port 6379 tcp · via REDIS:6379 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Sonde protocole Redis Émulateur REDIS WAF — Recommandation Surveiller Tags http_get_probe mozi_pattern net_redis_probe redis_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 6379 Chemin / cible — Preuve honeypot — Sonde port 6379/TCP Connexion détectée sur le port 6379 (TCP) du capteur simulé. Service REDIS Redis Sonde protocole Redis Payload GET / HTTP/1.1 Host: 62.3.50.33:6379 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/ Pourquoi cette classification : Type « port_6379_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 45 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:6379 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/ Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:6379 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "2d4e4f415554482041757468656e7469636174696f6e2072657175697265642e0d0a", "emulator_response_len": 34, "bytes_in": 191, "payload_entropy": 5.282814188621675, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "redis", "app_proto": "redis", "asn": 16509, "country": "US", "dst_port": 6379, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 46, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 46, "novelty": 15 }, "risk_score": 45, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5402c9916180e82dae639eb541e81260d5f1fe65", "event_fingerprint": "9c536ce82edfb6f83700eeb7934e9ac49a41747b", "classification_reason": "Type \u00ab port_6379_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 46, "novelty": 15, "risk_score": 45 }, "named_classification_skipped": true, "named_candidate": "redis_probe", "service_name": "redis", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4720ec2740921243f80c24a05af13e2f", "path_pattern_hash": "42eb67f6877c6439dbde87dd6ec1f324" }, "target_context": { "dst_port": 6379, "service": "redis", "service_name": "redis", "risk_score": 45 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6379\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6379\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6379\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6379\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6379\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "classification_reason": "Type \u00ab port_6379_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ddd663adaf91664425b28c99bce1bc3d30addc29", "protocol_details": { "redis_command_fr": "Sonde protocole Redis", "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6379\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "port": 6379, "service": "redis", "service_label_fr": "REDIS" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6379\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "attack_vector": "port 6379 tcp \u00b7 via REDIS:6379 \u00b7 (sonde \/ probe)", "target_port_label": "6379 \u00b7 REDIS", "emulator_service": "redis", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_6379_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_6379_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 46, "novelty": 15, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "redis", "service_label_fr": "REDIS", "dst_port": 6379, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Redis 7.0", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "redis_command_fr": "Sonde protocole Redis", "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6379\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "port": 6379, "service": "redis", "service_label_fr": "REDIS" }, "attack_vector": "port 6379 tcp \u00b7 via REDIS:6379 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6379\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "target_port_label": "6379 \u00b7 REDIS", "emulator_service": "redis", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "redis", "service_banner": "Redis 7.0", "service_os": "linux", "dst_port": "6379" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe", "mozi_pattern", "net_redis_probe", "redis_emulated" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 72 }

Réputation

Sécurité avancée

Offensive / Recon

Sécurité

DNS

Réseau

E-mail

IP

Utilitaires

3.19.185.206

Profil de menace

Pourquoi listée

Comparaison ASN / FAI

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence