Détails IP 3.19.68.187

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « postgres_probe » (signaux protocolaires) · confiance 49%

Confiance 49 % — Score WAF 8

Comparaison ASN / FAI

ASN 16509 · 3.0.0.0/10 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 19 événements sur la période pour cette IP.

16.58.56.214 Tentative d'exploit 16/06/2026 13:54 UTC
3.134.92.104 socks5 probe 16/06/2026 13:37 UTC
98.80.4.111 Tentative d'exploit 16/06/2026 13:24 UTC
18.188.120.198 socks5 probe 16/06/2026 13:01 UTC
18.223.44.164 Sonde PostgreSQL 16/06/2026 12:55 UTC
3.145.162.2 Sonde PostgreSQL 16/06/2026 12:49 UTC
3.22.112.226 Sonde PostgreSQL 16/06/2026 12:47 UTC
13.217.95.0 Tentative d'exploit 16/06/2026 12:39 UTC

IPs apparentées

Même FAI Amazon.com, Inc. — corrélation indicative.

16.58.56.214 Tentative d'exploit
3.134.92.104 socks5 probe
98.80.4.111 Tentative d'exploit
18.188.120.198 socks5 probe
18.223.44.164 Sonde PostgreSQL

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 6 TERADATA TCP 5 HTTP ALT 8083 TCP 3 HTTP ALT 81 TCP 3 TLS TCP 2

HTTP

6

TERADATA

5

HTTP ALT 8083

3

HTTP ALT 81

3

TLS

2

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

De

À

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Chronologie des événements

19 événement(s) — page 1/1

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
16/06/2026 12:45:28 UTC	TCP	8083 · HTTP ALT 8083	http-alt-8083	Sonde PostgreSQL postgres probe · via HTTP ALT 8083:8083 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 35fa0a83e466acbe Émulateur HTTP-ALT-8083 WAF — Recommandation Surveiller Tags tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8083 Chemin / cible — Service HTTP ALT 8083 Payload ��Bt��=�[�#�T�Ң��&a�`8 `S>s&�'�>0�L�b�F7ĵ�D��oA��&̨̩�/�0�+�,�� /5� { Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��Bt��=�[�#�T�Ң��&a�`8 `S>s&�'�>0�L�b�F7ĵ�D��oA��&̨̩�/�0�+�,�� /5� { Requête brute (extrait) ��Bt��=�[�#�T�Ң��&a�`8 `S>s&�'�>0�L�b�F7ĵ�D��oA��&̨̩�/�0�+�,�� /5� { �+ 3&$ #��!_�XCr9�S��X��Y�i��yq Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 243, "payload_entropy": 5.8129970975594345, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http-alt-8083", "app_proto": "http-alt-8083", "asn": 16509, "country": "US", "dst_port": 8083, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 1, "anomaly_count": 0, "campaign_key": "a1f49c85dab019e5ce5201c9821d38a5299dc784", "event_fingerprint": "aafb7ac8941c9e078930e4799c90ed51eac5bf8d", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "http-alt-8083", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "cf44eaba858d0378b88d9eb8b058397d", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "35fa0a83e466acbec1cfbb9016d550ab", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "35fa0a83e466acbec1cfbb9016d550ab", "tls_ja3": "771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8083, "service": "http-alt-8083", "service_name": "http-alt-8083", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001e\u0003\ufffd\ufffdBt\ufffd\ufffd\ufffd\ufffd\ufffd=\ufffd[\ufffd#\ufffdT\ufffd\u04a2\ufffd\ufffd\ufffd\ufffd&\u0000a\u0018\ufffd`8 `S\u0003>s&\ufffd'\ufffd>0\ufffdL\u001c\ufffdb\ufffdF7\u001e\u0135\ufffdD\ufffd\ufffd\u0011\ufffdoA\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001e\u0003\ufffd\ufffdBt\ufffd\ufffd\ufffd\ufffd\ufffd=\ufffd[\ufffd#\ufffdT\ufffd\u04a2\ufffd\ufffd\ufffd\ufffd&\u0000a\u0018\ufffd`8 `S\u0003>s&\ufffd'\ufffd>0\ufffdL\u001c\ufffdb\ufffdF7\u001e\u0135\ufffdD\ufffd\ufffd\u0011\ufffdoA\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 #\ufffd\ufffd\ufffd\ufffd!_\u0016\ufffdX\u001bCr\u0004\u000e9\ufffdS\ufffd\u0018\ufffd\ufffdX\ufffd\ufffdY\ufffdi\ufffd\ufffdyq", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001e\u0003\ufffd\ufffdBt\ufffd\ufffd\ufffd\ufffd\ufffd=\ufffd[\ufffd#\ufffdT\ufffd\u04a2\ufffd\ufffd\ufffd\ufffd&\u0000a\u0018\ufffd`8 `S\u0003>s&\ufffd'\ufffd>0\ufffdL\u001c\ufffdb\ufffdF7\u001e\u0135\ufffdD\ufffd\ufffd\u0011\ufffdoA\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e7ca8ffa6b062c164aa3b7c7bd218a5263409f14", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001e\u0003\ufffd\ufffdBt\ufffd\ufffd\ufffd\ufffd\ufffd=\ufffd[\ufffd#\ufffdT\ufffd\u04a2\ufffd\ufffd\ufffd\ufffd&\u0000a\u0018\ufffd`8 `S\u0003>s&\ufffd'\ufffd>0\ufffdL\u001c\ufffdb\ufffdF7\u001e\u0135\ufffdD\ufffd\ufffd\u0011\ufffdoA\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8083, "service": "http-alt-8083", "service_label_fr": "HTTP ALT 8083" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffdBt\ufffd\ufffd\ufffd\ufffd\ufffd=\ufffd[\ufffd#\ufffdT\ufffd\u04a2\ufffd\ufffd\ufffd\ufffd&a\ufffd`8 `S>s&\ufffd'\ufffd>0\ufffdL\ufffdb\ufffdF7\u0135\ufffdD\ufffd\ufffd\ufffdoA\ufffd\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{", "attack_vector": "postgres probe \u00b7 via HTTP ALT 8083:8083 \u00b7 (sonde \/ probe)", "target_port_label": "8083 \u00b7 HTTP ALT 8083", "emulator_service": "http-alt-8083", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "http-alt-8083", "service_label_fr": "HTTP ALT 8083", "dst_port": 8083, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-8083", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001e\u0003\ufffd\ufffdBt\ufffd\ufffd\ufffd\ufffd\ufffd=\ufffd[\ufffd#\ufffdT\ufffd\u04a2\ufffd\ufffd\ufffd\ufffd&\u0000a\u0018\ufffd`8 `S\u0003>s&\ufffd'\ufffd>0\ufffdL\u001c\ufffdb\ufffdF7\u001e\u0135\ufffdD\ufffd\ufffd\u0011\ufffdoA\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8083, "service": "http-alt-8083", "service_label_fr": "HTTP ALT 8083" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 8083:8083 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffdBt\ufffd\ufffd\ufffd\ufffd\ufffd=\ufffd[\ufffd#\ufffdT\ufffd\u04a2\ufffd\ufffd\ufffd\ufffd&a\ufffd`8 `S>s&\ufffd'\ufffd>0\ufffdL\ufffdb\ufffdF7\u0135\ufffdD\ufffd\ufffd\ufffdoA\ufffd\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{", "target_port_label": "8083 \u00b7 HTTP ALT 8083", "emulator_service": "http-alt-8083", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_8083", "service_banner": "honeypot-http-alt-8083", "service_os": "linux", "dst_port": "8083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_clienthello" ], "asn_dc_heuristic": true }
16/06/2026 12:43:15 UTC	TCP	8083 · HTTP ALT 8083	http-alt-8083	Sonde PostgreSQL postgres probe · via HTTP ALT 8083:8083 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole Émulateur HTTP-ALT-8083 WAF — Recommandation Surveiller Tags tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8083 Chemin / cible — Service HTTP ALT 8083 Payload ��t��it�3鍮��7r2I �nt�7�\ 89��dݤ��27� �;F�]d��쐬L&̨̩�/�0�+�,�� /5� � Pourquoi cette classification :* Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��t��it�3鍮��7r2I �nt�7�\ 89��dݤ��27� �;F�]d��쐬L&̨̩�/�0�+�,�� /5� � Requête brute (extrait) ��t��it�3鍮��7r2I �nt�7�\ 89��dݤ��27� �;F�]d��쐬L&̨̩�/�0�+�,�� /5� � � h2http/1.1+ 3&$ ��r�SUi 0(�=f+�];5z/�� Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 261, "payload_entropy": 5.821893980970736, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http-alt-8083", "app_proto": "http-alt-8083", "asn": 16509, "country": "US", "dst_port": 8083, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 1, "anomaly_count": 0, "campaign_key": "a1f49c85dab019e5ce5201c9821d38a5299dc784", "event_fingerprint": "aafb7ac8941c9e078930e4799c90ed51eac5bf8d", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http-alt-8083", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "09ce0160424458a5cb53e7bd41872088", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 8083, "service": "http-alt-8083", "service_name": "http-alt-8083", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdt\ufffd\ufffd\ufffd\ufffdit\ufffd3\u936e\ufffd\ufffd7r2I\n\u0013\ufffdnt\u0011\ufffd7\ufffd\\\u0001 \b89\ufffd\ufffd\u0006\ufffdd\u0764\ufffd\ufffd2\u00177\ufffd \ufffd;F\ufffd]\u001cd\ufffd\ufffd\uc42c\u000fL\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdt\ufffd\ufffd\ufffd\ufffdit\ufffd3\u936e\ufffd\ufffd7r2I\n\u0013\ufffdnt\u0011\ufffd7\ufffd\\\u0001 \b89\ufffd\ufffd\u0006\ufffdd\u0764\ufffd\ufffd2\u00177\ufffd \ufffd;F\ufffd]\u001cd\ufffd\ufffd\uc42c\u000fL\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0010\u0000\u000e\u0000\f\u0002h2\bhttp\/1.1\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffdr\ufffdSUi\u000b0(\ufffd=f+\u0013\u0015\b\ufffd];5z\/\ufffd\ufffd\ufffd", "payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdt\ufffd\ufffd\ufffd\ufffdit\ufffd3\u936e\ufffd\ufffd7r2I\n\u0013\ufffdnt\u0011\ufffd7\ufffd\\\u0001 \b89\ufffd\ufffd\u0006\ufffdd\u0764\ufffd\ufffd2\u00177\ufffd \ufffd;F\ufffd]\u001cd\ufffd\ufffd\uc42c\u000fL\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ab9f33f6818d7c409aef94f53d20fb33125bf2d6", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdt\ufffd\ufffd\ufffd\ufffdit\ufffd3\u936e\ufffd\ufffd7r2I\n\u0013\ufffdnt\u0011\ufffd7\ufffd\\\u0001 \b89\ufffd\ufffd\u0006\ufffdd\u0764\ufffd\ufffd2\u00177\ufffd \ufffd;F\ufffd]\u001cd\ufffd\ufffd\uc42c\u000fL\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "port": 8083, "service": "http-alt-8083", "service_label_fr": "HTTP ALT 8083" }, "evidence_snippet": "\ufffd\ufffd\ufffdt\ufffd\ufffd\ufffd\ufffdit\ufffd3\u936e\ufffd\ufffd7r2I\n\ufffdnt\ufffd7\ufffd\\ 89\ufffd\ufffd\ufffdd\u0764\ufffd\ufffd27\ufffd \ufffd;F\ufffd]d\ufffd\ufffd\uc42cL&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd", "attack_vector": "postgres probe \u00b7 via HTTP ALT 8083:8083 \u00b7 (sonde \/ probe)", "target_port_label": "8083 \u00b7 HTTP ALT 8083", "emulator_service": "http-alt-8083", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "http-alt-8083", "service_label_fr": "HTTP ALT 8083", "dst_port": 8083, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-8083", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdt\ufffd\ufffd\ufffd\ufffdit\ufffd3\u936e\ufffd\ufffd7r2I\n\u0013\ufffdnt\u0011\ufffd7\ufffd\\\u0001 \b89\ufffd\ufffd\u0006\ufffdd\u0764\ufffd\ufffd2\u00177\ufffd \ufffd;F\ufffd]\u001cd\ufffd\ufffd\uc42c\u000fL\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "port": 8083, "service": "http-alt-8083", "service_label_fr": "HTTP ALT 8083" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 8083:8083 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffdt\ufffd\ufffd\ufffd\ufffdit\ufffd3\u936e\ufffd\ufffd7r2I\n\ufffdnt\ufffd7\ufffd\\ 8*9\ufffd\ufffd\ufffdd\u0764\ufffd\ufffd27\ufffd \ufffd;F\ufffd]d\ufffd\ufffd\uc42cL&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd", "target_port_label": "8083 \u00b7 HTTP ALT 8083", "emulator_service": "http-alt-8083", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_8083", "service_banner": "honeypot-http-alt-8083", "service_os": "linux", "dst_port": "8083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-8083" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_clienthello" ], "asn_dc_heuristic": true }
16/06/2026 12:39:55 UTC	TCP	8083 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:8083 · (tentative d'exploit)	Élevée	Moyen · 53
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET / UA visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10… Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_web_probe Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8083 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 70% Corrélation +8 Risque capteur Moyen · 53 Confiance : Confiance 62 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8083 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/ Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8083 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "6bd3154a88ac556741885ed569cfb89736385db4", "http_host_hash": "21e69ce58b85e5f3297487d2897913a40772a115", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 191, "payload_entropy": 5.282072254328082, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "US", "dst_port": 8083, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 53, "tag_count": 4, "anomaly_count": 0, "campaign_key": "cd20139a3db8808e6bda921a95c026b9c44a8f6c", "event_fingerprint": "4c1203a7b387ab4b56d9c5f8a71136068887d5c8", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.7, "classification_confidence": 0.7, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 53, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "cb226636f11f4f631f065fb419a8bab8", "payload_hash": "d0c5a9f905230ee8a3d9c7b8d282adda", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8083, "service": "http", "service_name": "http", "risk_score": 53 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8083\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "method": "GET", "path": "\/", "user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8083\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8083\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "evidence": { "method": "GET", "path": "\/", "user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8083\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8083\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5e9c977a252ab719c0f77667aabb7f56cce40f77", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36", "port": 8083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8083\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "attack_vector": "exploit attempt \u00b7 via HTTP:8083 \u00b7 (tentative d'exploit)", "target_port_label": "8083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 70 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 70, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 53, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 53, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36", "port": 8083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:8083 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8083\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "target_port_label": "8083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 70 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-8083" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_web_probe" ], "asn_dc_heuristic": true }
16/06/2026 12:38:13 UTC	TCP	8083 · HTTP ALT 8083	http-alt-8083	http-alt-8083 http-alt-8083 · via HTTP ALT 8083:8083 · (sonde / probe)	Faible	Faible · 2
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole Émulateur HTTP-ALT-8083 WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8083 Chemin / cible — Service HTTP ALT 8083 Pourquoi cette classification : Type « http-alt-8083 » (signaux protocolaires) · confiance 0% Confiance classification 8% Corrélation +8 Risque capteur Faible · 2 Confiance : Confiance faible (0 %) — classification prudente Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 1, "payload_entropy": 0, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http-alt-8083", "app_proto": "http-alt-8083", "asn": 16509, "country": "US", "dst_port": 8083, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0 }, "risk_score": 2, "tag_count": 0, "anomaly_count": 0, "campaign_key": "4d8aadabcd1c859671a9c5ddc55350e79e517b17", "event_fingerprint": "aafb7ac8941c9e078930e4799c90ed51eac5bf8d", "classification_reason": "Type \u00ab http-alt-8083 \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0.08, "classification_confidence": 0.08, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0, "risk_score": 2, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http-alt-8083", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "01ba4719c80b6fe911b091a7c05124b6", "path_pattern_hash": "54f123e610d8386f898485b621afba15" }, "target_context": { "dst_port": 8083, "service": "http-alt-8083", "service_name": "http-alt-8083", "risk_score": 2 }, "payload_preview": "\n", "request_sample": "\n", "evidence": { "request_sample": "\n", "classification_reason": "Type \u00ab http-alt-8083 \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "96cc80b82fcf34b790dbe70e6532ec9d2a57114b", "protocol_details": { "port": 8083, "service": "http-alt-8083", "service_label_fr": "HTTP ALT 8083" }, "attack_vector": "http-alt-8083 \u00b7 via HTTP ALT 8083:8083 \u00b7 (sonde \/ probe)", "target_port_label": "8083 \u00b7 HTTP ALT 8083", "emulator_service": "http-alt-8083", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "site_display": { "classification": null, "classification_reason": "Type \u00ab http-alt-8083 \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab http-alt-8083 \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 8, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0, "risk_score": 2, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 2, "risk_label": "Faible", "service_name": "http-alt-8083", "service_label_fr": "HTTP ALT 8083", "dst_port": 8083, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-8083", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "port": 8083, "service": "http-alt-8083", "service_label_fr": "HTTP ALT 8083" }, "attack_vector": "http-alt-8083 \u00b7 via HTTP ALT 8083:8083 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "8083 \u00b7 HTTP ALT 8083", "emulator_service": "http-alt-8083", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "confidence_factors_fr": "Confiance 8 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_8083", "service_banner": "honeypot-http-alt-8083", "service_os": "linux", "dst_port": "8083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-8083" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "asn_dc_heuristic": true }
16/06/2026 12:38:01 UTC	TCP	8083 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:8083 · (tentative d'exploit)	Élevée	Moyen · 53
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10… Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_web_probe Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8083 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 53 Confiance : Confiance 62 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8083 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/ Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8083 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "6bd3154a88ac556741885ed569cfb89736385db4", "http_host_hash": "21e69ce58b85e5f3297487d2897913a40772a115", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 191, "payload_entropy": 5.282072254328082, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "US", "dst_port": 8083, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 53, "tag_count": 4, "anomaly_count": 0, "campaign_key": "cd20139a3db8808e6bda921a95c026b9c44a8f6c", "event_fingerprint": "4c1203a7b387ab4b56d9c5f8a71136068887d5c8", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 53 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "cb226636f11f4f631f065fb419a8bab8", "payload_hash": "d0c5a9f905230ee8a3d9c7b8d282adda", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8083, "service": "http", "service_name": "http", "risk_score": 53 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8083\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "method": "GET", "path": "\/", "user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8083\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8083\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "evidence": { "method": "GET", "path": "\/", "user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8083\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8083\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5e9c977a252ab719c0f77667aabb7f56cce40f77", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36", "port": 8083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8083\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "attack_vector": "exploit attempt \u00b7 via HTTP:8083 \u00b7 (tentative d'exploit)", "target_port_label": "8083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 53 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 53, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36", "port": 8083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:8083 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8083\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "target_port_label": "8083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_web_probe" ], "asn_dc_heuristic": true }
16/06/2026 12:22:25 UTC	TCP	81 · HTTP ALT 81	http-alt-81	Sonde PostgreSQL postgres probe · via HTTP ALT 81:81 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 35fa0a83e466acbe Émulateur HTTP-ALT-81 WAF — Recommandation Surveiller Tags tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 81 Chemin / cible — Service HTTP ALT 81 Payload ��W_�֯ЈR5��'��RXnRd3X[�j� �g� Ɣ��{��-�I.�l��4 경OX�&̨̩�/�0�+�,�� /5� { Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��W_�֯ЈR5��'��RXnRd3X[�j� �g�Ɣ��{��-�I.�l��4경OX�&̨̩�/�0�+�,�� /5� { Requête brute (extrait) ��W_�֯ЈR5��'��RXnRd3X[�j� �g� Ɣ��{��-�I.�l��4 경OX�&̨̩�/�0�+�,�� /5� { �+ 3&$ ,�t��B9��X��sz cs�N��G Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 243, "payload_entropy": 5.793741037208959, "port_category": "well_known", "org": "Amazon.com, Inc.", "service": "http-alt-81", "app_proto": "http-alt-81", "asn": 16509, "country": "US", "dst_port": 81, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 1, "anomaly_count": 0, "campaign_key": "78af023cf79e2cc551b3bc717eee4762bcf624d5", "event_fingerprint": "da8b22a909c287a6570bb2c7dce20fa4de2070cb", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http-alt-81", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "9e52bd701d9eb8ffcd2bb99c177f4246", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "35fa0a83e466acbec1cfbb9016d550ab", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "35fa0a83e466acbec1cfbb9016d550ab", "tls_ja3": "771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 81, "service": "http-alt-81", "service_name": "http-alt-81", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdW_\ufffd\u001a\u05af\u0408R5\ufffd\ufffd\ufffd\ufffd'\ufffd\ufffdR\u0006\bXnR\u0018d3X[\ufffdj\ufffd \ufffdg\ufffd\u000b\u0016\u0194\u0016\ufffd\ufffd\ufffd\ufffd{\ufffd\ufffd\u0011-\ufffdI.\ufffdl\ufffd\ufffd4\f\uacbdOX\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdW_\ufffd\u001a\u05af\u0408R5\ufffd\ufffd\ufffd\ufffd'\ufffd\ufffdR\u0006\bXnR\u0018d3X[\ufffdj\ufffd \ufffdg\ufffd\u000b\u0016\u0194\u0016\ufffd\ufffd\ufffd\ufffd{\ufffd\ufffd\u0011-\ufffdI.\ufffdl\ufffd\ufffd4\f\uacbdOX\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 ,\ufffdt\ufffd\ufffd\ufffd\u0003\ufffdB9\ufffd\ufffd\ufffdX\u000e\ufffd\ufffd\u0013sz\rcs\u0016\ufffdN\ufffd\ufffd\u0019\ufffdG", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdW_\ufffd\u001a\u05af\u0408R5\ufffd\ufffd\ufffd\ufffd'\ufffd\ufffdR\u0006\bXnR\u0018d3X[\ufffdj\ufffd \ufffdg\ufffd\u000b\u0016\u0194\u0016\ufffd\ufffd\ufffd\ufffd{\ufffd\ufffd\u0011-\ufffdI.\ufffdl\ufffd\ufffd4\f\uacbdOX\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e80f4e1a2b2afdf072a02d60a70397af05405bf9", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdW_\ufffd\u001a\u05af\u0408R5\ufffd\ufffd\ufffd\ufffd'\ufffd\ufffdR\u0006\bXnR\u0018d3X[\ufffdj\ufffd \ufffdg\ufffd\u000b\u0016\u0194\u0016\ufffd\ufffd\ufffd\ufffd{\ufffd\ufffd\u0011-\ufffdI.\ufffdl\ufffd\ufffd4\f\uacbdOX\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "evidence_snippet": "\ufffd\ufffd\ufffdW_\ufffd\u05af\u0408R5\ufffd\ufffd\ufffd\ufffd'\ufffd\ufffdRXnRd3X[\ufffdj\ufffd \ufffdg\ufffd\u0194\ufffd\ufffd\ufffd\ufffd{\ufffd\ufffd-\ufffdI.\ufffdl\ufffd\ufffd4\uacbdOX\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{", "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "http-alt-81", "service_label_fr": "HTTP ALT 81", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-81", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdW_\ufffd\u001a\u05af\u0408R5\ufffd\ufffd\ufffd\ufffd'\ufffd\ufffdR\u0006\bXnR\u0018d3X[\ufffdj\ufffd \ufffdg\ufffd\u000b\u0016\u0194\u0016\ufffd\ufffd\ufffd\ufffd{\ufffd\ufffd\u0011-\ufffdI.\ufffdl\ufffd\ufffd4\f\uacbdOX\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffdW_\ufffd\u05af\u0408R5\ufffd\ufffd\ufffd\ufffd'\ufffd\ufffdRXnRd3X[\ufffdj\ufffd \ufffdg\ufffd\u0194\ufffd\ufffd\ufffd\ufffd{\ufffd\ufffd-\ufffdI.\ufffdl\ufffd\ufffd4\uacbdOX\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_81", "service_banner": "honeypot-http-alt-81", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_clienthello" ], "asn_dc_heuristic": true }
16/06/2026 12:20:56 UTC	TCP	81 · HTTP ALT 81	http-alt-81	Sonde PostgreSQL postgres probe · via HTTP ALT 81:81 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole Émulateur HTTP-ALT-81 WAF — Recommandation Surveiller Tags tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 81 Chemin / cible — Service HTTP ALT 81 Payload �ᢷ�7��Ef�Ȓ�>�SoL��=(\��< �a�a�y�P t��8n��d��ː�&̨̩�/�0�+�,�� /5� � Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) �ᢷ�7��Ef�Ȓ�>�SoL��=(\��< �a�a�y�P t��8n��d��ː�&̨̩�/�0�+�,�� /5� � Requête brute (extrait) �ᢷ�7��Ef�Ȓ�>�SoL��=(\��< �a�a�y�P t��8n��d��ː�&̨̩�/�0�+�,�� /5� � � h2http/1.1+ 3&$ �\|o�C�QRX5`�bJJ��o�wr Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 261, "payload_entropy": 5.897732628492703, "port_category": "well_known", "org": "Amazon.com, Inc.", "service": "http-alt-81", "app_proto": "http-alt-81", "asn": 16509, "country": "US", "dst_port": 81, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 1, "anomaly_count": 0, "campaign_key": "78af023cf79e2cc551b3bc717eee4762bcf624d5", "event_fingerprint": "da8b22a909c287a6570bb2c7dce20fa4de2070cb", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http-alt-81", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "47c47b577ff0aecd89696e6a315c6bbd", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 81, "service": "http-alt-81", "service_name": "http-alt-81", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\u18b7\u001c\ufffd7\ufffd\ufffdE\u001df\ufffd\u0212\u001a\ufffd>\ufffdSoL\ufffd\ufffd\ufffd=(\\\ufffd\ufffd\ufffd< \ufffda\ufffd\u0015a\ufffdy\u0006\ufffdP\rt\ufffd\ufffd\ufffd8\u000fn\ufffd\ufffd\ufffd\ufffd\ufffdd\ufffd\ufffd\ufffd\ufffd\u02d0\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\u18b7\u001c\ufffd7\ufffd\ufffdE\u001df\ufffd\u0212\u001a\ufffd>\ufffdSoL\ufffd\ufffd\ufffd=(\\\ufffd\ufffd\ufffd< \ufffda\ufffd\u0015a\ufffdy\u0006\ufffdP\rt\ufffd\ufffd\ufffd8\u000fn\ufffd\ufffd\ufffd\ufffd\ufffdd\ufffd\ufffd\ufffd\ufffd\u02d0\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0010\u0000\u000e\u0000\f\u0002h2\bhttp\/1.1\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\|o\u0015\ufffdC\ufffd\u001aQRX5`\ufffdbJ\u0002J\ufffd\ufffd\u0003\u0015\ufffdo\ufffdwr", "payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\u18b7\u001c\ufffd7\ufffd\ufffdE\u001df\ufffd\u0212\u001a\ufffd>\ufffdSoL\ufffd\ufffd\ufffd=(\\\ufffd\ufffd\ufffd< \ufffda\ufffd\u0015a\ufffdy\u0006\ufffdP\rt\ufffd\ufffd\ufffd8\u000fn\ufffd\ufffd\ufffd\ufffd\ufffdd\ufffd\ufffd\ufffd\ufffd\u02d0\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2622b88d32a0ef284586c78876bdd3b0d97a84cc", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\u18b7\u001c\ufffd7\ufffd\ufffdE\u001df\ufffd\u0212\u001a\ufffd>\ufffdSoL\ufffd\ufffd\ufffd=(\\\ufffd\ufffd\ufffd< \ufffda\ufffd\u0015a\ufffdy\u0006\ufffdP\rt\ufffd\ufffd\ufffd8\u000fn\ufffd\ufffd\ufffd\ufffd\ufffdd\ufffd\ufffd\ufffd\ufffd\u02d0\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "evidence_snippet": "\ufffd\u18b7\ufffd7\ufffd\ufffdEf\ufffd\u0212\ufffd>\ufffdSoL\ufffd\ufffd\ufffd=(\\\ufffd\ufffd\ufffd< \ufffda\ufffda\ufffdy\ufffdP\rt\ufffd\ufffd\ufffd8n\ufffd\ufffd\ufffd\ufffd\ufffdd\ufffd\ufffd\ufffd\ufffd\u02d0\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd", "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "http-alt-81", "service_label_fr": "HTTP ALT 81", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-81", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\u18b7\u001c\ufffd7\ufffd\ufffdE\u001df\ufffd\u0212\u001a\ufffd>\ufffdSoL\ufffd\ufffd\ufffd=(\\\ufffd\ufffd\ufffd< \ufffda\ufffd\u0015a\ufffdy\u0006\ufffdP\rt\ufffd\ufffd\ufffd8\u000fn\ufffd\ufffd\ufffd\ufffd\ufffdd\ufffd\ufffd\ufffd\ufffd\u02d0\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\u18b7\ufffd7\ufffd\ufffdEf\ufffd\u0212\ufffd>\ufffdSoL\ufffd\ufffd\ufffd=(\\\ufffd\ufffd\ufffd< \ufffda\ufffda\ufffdy\ufffdP\rt\ufffd\ufffd\ufffd8n\ufffd\ufffd\ufffd\ufffd\ufffdd\ufffd\ufffd\ufffd\ufffd\u02d0\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_81", "service_banner": "honeypot-http-alt-81", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_clienthello" ], "asn_dc_heuristic": true }
16/06/2026 12:18:59 UTC	TCP	81 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:81 · (tentative d'exploit)	Élevée	Moyen · 52
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET / UA visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10… Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_web_probe Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 81 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 70% Corrélation +8 Risque capteur Moyen · 52 Confiance : Confiance 62 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:81 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/12 Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:81 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "6bd3154a88ac556741885ed569cfb89736385db4", "http_host_hash": "f257870e26046e30cbd03e9d5726ca53aa58b86f", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 189, "payload_entropy": 5.275092180157115, "port_category": "well_known", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "US", "dst_port": 81, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 52, "tag_count": 4, "anomaly_count": 0, "campaign_key": "080c80b14411b7d01098f46ec7a620807b47ebe0", "event_fingerprint": "ea594d22610095fdc4d5a1f374bfd407e5255a96", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.7, "classification_confidence": 0.7, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 52, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "cb226636f11f4f631f065fb419a8bab8", "payload_hash": "9b3b5bf4859d4c36609f262f208a7105", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 81, "service": "http", "service_name": "http", "risk_score": 52 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/12", "method": "GET", "path": "\/", "user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/12", "evidence": { "method": "GET", "path": "\/", "user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/12", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d4ba519360513e306abc6dcc84a08e6b1eaaf5eb", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36", "port": 81, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/12", "attack_vector": "exploit attempt \u00b7 via HTTP:81 \u00b7 (tentative d'exploit)", "target_port_label": "81 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 70 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 70, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 52, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 52, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36", "port": 81, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:81 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/12", "target_port_label": "81 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 70 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_web_probe" ], "asn_dc_heuristic": true }
16/06/2026 12:17:50 UTC	TCP	81 · HTTP ALT 81	http-alt-81	http-alt-81 http-alt-81 · via HTTP ALT 81:81 · (sonde / probe)	Faible	Faible · 1
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole Émulateur HTTP-ALT-81 WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 81 Chemin / cible — Service HTTP ALT 81 Pourquoi cette classification : Type « http-alt-81 » (signaux protocolaires) · confiance 0% Confiance classification 8% Corrélation +8 Risque capteur Faible · 1 Confiance : Confiance faible (0 %) — classification prudente Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 1, "payload_entropy": 0, "port_category": "well_known", "org": "Amazon.com, Inc.", "service": "http-alt-81", "app_proto": "http-alt-81", "asn": 16509, "country": "US", "dst_port": 81, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0 }, "risk_score": 1, "tag_count": 0, "anomaly_count": 0, "campaign_key": "3f22551d39a092b08990354bd45c12679c434288", "event_fingerprint": "da8b22a909c287a6570bb2c7dce20fa4de2070cb", "classification_reason": "Type \u00ab http-alt-81 \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0.08, "classification_confidence": 0.08, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0, "risk_score": 1, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http-alt-81", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "01ba4719c80b6fe911b091a7c05124b6", "path_pattern_hash": "96b5770472eb71fcb1b2ba3134979c11" }, "target_context": { "dst_port": 81, "service": "http-alt-81", "service_name": "http-alt-81", "risk_score": 1 }, "payload_preview": "\n", "request_sample": "\n", "evidence": { "request_sample": "\n", "classification_reason": "Type \u00ab http-alt-81 \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "808c22f7a69ff78921cd536dab56c5174fcd6b13", "protocol_details": { "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "attack_vector": "http-alt-81 \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "site_display": { "classification": null, "classification_reason": "Type \u00ab http-alt-81 \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab http-alt-81 \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 8, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0, "risk_score": 1, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 1, "risk_label": "Faible", "service_name": "http-alt-81", "service_label_fr": "HTTP ALT 81", "dst_port": 81, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-81", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "attack_vector": "http-alt-81 \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "confidence_factors_fr": "Confiance 8 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_81", "service_banner": "honeypot-http-alt-81", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "asn_dc_heuristic": true }
16/06/2026 12:17:44 UTC	TCP	81 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:81 · (tentative d'exploit)	Élevée	Moyen · 52
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10… Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_web_probe Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 81 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 52 Confiance : Confiance 62 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:81 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/12 Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:81 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "6bd3154a88ac556741885ed569cfb89736385db4", "http_host_hash": "f257870e26046e30cbd03e9d5726ca53aa58b86f", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 189, "payload_entropy": 5.275092180157115, "port_category": "well_known", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "US", "dst_port": 81, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 52, "tag_count": 4, "anomaly_count": 0, "campaign_key": "080c80b14411b7d01098f46ec7a620807b47ebe0", "event_fingerprint": "ea594d22610095fdc4d5a1f374bfd407e5255a96", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 52 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "cb226636f11f4f631f065fb419a8bab8", "payload_hash": "9b3b5bf4859d4c36609f262f208a7105", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 81, "service": "http", "service_name": "http", "risk_score": 52 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/12", "method": "GET", "path": "\/", "user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/12", "evidence": { "method": "GET", "path": "\/", "user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/12", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d4ba519360513e306abc6dcc84a08e6b1eaaf5eb", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36", "port": 81, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/12", "attack_vector": "exploit attempt \u00b7 via HTTP:81 \u00b7 (tentative d'exploit)", "target_port_label": "81 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 52 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 52, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36", "port": 81, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:81 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/12", "target_port_label": "81 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_web_probe" ], "asn_dc_heuristic": true }
16/06/2026 11:46:13 UTC	TCP	8800 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:8800 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 35fa0a83e466acbe Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8800 Chemin / cible — Service TLS Payload ��'��(T�=֫��;_X��j�� p��p�� lb}}tR~ .X(<�q=��=&̨̩�/�0�+�,�� /5� { Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��'��(T�=֫��;_X��j�� p��p��lb}}tR~ .X(<�q=��=&̨̩�/�0�+�,�� /5� { Requête brute (extrait) ��'��(T�=֫��;_X��j�� p��p�� lb}}tR~ .X(<�q=��=&̨̩�/�0�+�,�� /5� { �+ 3&$ �,K��X�T��5�nP�蝮$�z5�xJ�1�7 Meta JSON brut { "tls_ja3_hash": "35fa0a83e466acbec1cfbb9016d550ab", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 243, "payload_entropy": 5.820856392169371, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "tls", "app_proto": "tls", "asn": 16509, "country": "US", "dst_port": 8800, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.4, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "19a05e91343d34e5dbb175b666e2d1ff588f8800", "event_fingerprint": "c42768ca73332ece92bda214ce06e55f9927e0fe", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "35fa0a83e466acbec1cfbb9016d550ab", "payload_hash": "916a9ede0343a8dcf3f38bca419cd786", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8800, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd'\ufffd\ufffd\ufffd\u001c(T\u0005\ufffd=\u05ab\ufffd\ufffd;_X\ufffd\ufffdj\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0005 p\ufffd\u001e\ufffdp\ufffd\ufffd\u001c\ufffd\fl\u000eb}}tR~\r.X\u0003(<\ufffdq=\ufffd\u0018\ufffd\ufffd=\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd'\ufffd\ufffd\ufffd\u001c(T\u0005\ufffd=\u05ab\ufffd\ufffd;_X\ufffd\ufffdj\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0005 p\ufffd\u001e\ufffdp\ufffd\ufffd\u001c\ufffd\fl\u000eb}}tR~\r.X\u0003(<\ufffdq=\ufffd\u0018\ufffd\ufffd=\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd,K\ufffd\ufffd\u0001X\ufffdT\ufffd\ufffd\ufffd5\ufffdn\u0005P\ufffd\u876e$\ufffdz5\ufffdxJ\ufffd1\ufffd7", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd'\ufffd\ufffd\ufffd\u001c(T\u0005\ufffd=\u05ab\ufffd\ufffd;_X\ufffd\ufffdj\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0005 p\ufffd\u001e\ufffdp\ufffd\ufffd\u001c\ufffd\fl\u000eb}}tR~\r.X\u0003(<\ufffdq=\ufffd\u0018\ufffd\ufffd=\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7f7e780863a6a77d7418dfe71fedc88e17518a80", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd'\ufffd\ufffd\ufffd\u001c(T\u0005\ufffd=\u05ab\ufffd\ufffd;_X\ufffd\ufffdj\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0005 p\ufffd\u001e\ufffdp\ufffd\ufffd\u001c\ufffd\fl\u000eb}}tR~\r.X\u0003(<\ufffdq=\ufffd\u0018\ufffd\ufffd=\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8800, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd'\ufffd\ufffd\ufffd(T\ufffd=\u05ab\ufffd\ufffd;_X\ufffd\ufffdj\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd p\ufffd\ufffdp\ufffd\ufffd\ufffdlb}}tR~\r.X(<\ufffdq=\ufffd\ufffd\ufffd=&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{", "attack_vector": "postgres probe \u00b7 via TLS:8800 \u00b7 (sonde \/ probe)", "target_port_label": "8800 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 8800, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd'\ufffd\ufffd\ufffd\u001c(T\u0005\ufffd=\u05ab\ufffd\ufffd;_X\ufffd\ufffdj\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0005 p\ufffd\u001e\ufffdp\ufffd\ufffd\u001c\ufffd\fl\u000eb}}tR~\r.X\u0003(<\ufffdq=\ufffd\u0018\ufffd\ufffd=\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8800, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:8800 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd'\ufffd\ufffd\ufffd(T\ufffd=\u05ab\ufffd\ufffd;_X\ufffd\ufffdj\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd p\ufffd\ufffdp\ufffd\ufffd\ufffdlb}}tR~\r.X(<\ufffdq=\ufffd\ufffd\ufffd=&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{", "target_port_label": "8800 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "8800" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
16/06/2026 11:45:48 UTC	TCP	8800 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:8800 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 7c1e207beb00684b Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8800 Chemin / cible — Service TLS Payload ��SSn��q��!_���=��)� ��Gf)K�s�EK��B��j�'�S{I��&̨̩�/�0�+�,�� /5� � Pourquoi cette classification :* Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��SSn��q��!_���=��)� ��Gf)K�s�EK��B��j�'�S{I��&̨̩�/�0�+�,�� /5� � Requête brute (extrait) ��SSn��q��!_���=��)� ��Gf)K�s�EK��B��j�'�S{I��&̨̩�/�0�+�,�� /5� � � h2http/1.1+ 3&$ ︌P�e�`>��m��d��p� Meta JSON brut { "tls_ja3_hash": "7c1e207beb00684bbbe144f1b0abe1d5", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "tls_alpn": [ "h2", "http\/1.1" ], "bytes_in": 261, "payload_entropy": 5.964597584485738, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "tls", "app_proto": "tls", "asn": 16509, "country": "US", "dst_port": 8800, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.4, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "19a05e91343d34e5dbb175b666e2d1ff588f8800", "event_fingerprint": "71c2d8fe238490c5a995667b73e65ba510d55f99", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "7c1e207beb00684bbbe144f1b0abe1d5", "payload_hash": "04ad9418c7aa7737bb531b7a8d7fd187", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 8800, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdSSn\ufffd\ufffd\ufffd\ufffdq\ufffd\ufffd\ufffd\ufffd\ufffd!_\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd=\ufffd\ufffd\ufffd)\ufffd \u0003\u0013\ufffd\ufffd\u0013G\u0012f)K\ufffds\u0015\ufffdEK\u0019\ufffd\ufffdB\ufffd\ufffd\ufffdj\ufffd'\ufffdS{I\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdSSn\ufffd\ufffd\ufffd\ufffdq\ufffd\ufffd\ufffd\ufffd\ufffd!_\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd=\ufffd\ufffd\ufffd)\ufffd \u0003\u0013\ufffd\ufffd\u0013G\u0012f)K\ufffds\u0015\ufffdEK\u0019\ufffd\ufffdB\ufffd\ufffd\ufffdj\ufffd'\ufffdS{I\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0010\u0000\u000e\u0000\f\u0002h2\bhttp\/1.1\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufe0cP\u0011\ufffde\ufffd\u001f`>\ufffd\ufffd\ufffdm\ufffd\ufffd\ufffdd\ufffd\ufffd\ufffd\ufffd\u001d\ufffdp\ufffd", "payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdSSn\ufffd\ufffd\ufffd\ufffdq\ufffd\ufffd\ufffd\ufffd\ufffd!_\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd=\ufffd\ufffd\ufffd)\ufffd \u0003\u0013\ufffd\ufffd\u0013G\u0012f)K\ufffds\u0015\ufffdEK\u0019\ufffd\ufffdB\ufffd\ufffd\ufffdj\ufffd'\ufffdS{I\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c265a0db314b6fd9c8000183a1dbebfd3d6af997", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdSSn\ufffd\ufffd\ufffd\ufffdq\ufffd\ufffd\ufffd\ufffd\ufffd!_\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd=\ufffd\ufffd\ufffd)\ufffd \u0003\u0013\ufffd\ufffd\u0013G\u0012f)K\ufffds\u0015\ufffdEK\u0019\ufffd\ufffdB\ufffd\ufffd\ufffdj\ufffd'\ufffdS{I\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "7c1e207beb00684bbbe144f1b0abe1d5", "port": 8800, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffdSSn\ufffd\ufffd\ufffd\ufffdq\ufffd\ufffd\ufffd\ufffd\ufffd!_\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd=\ufffd\ufffd\ufffd)\ufffd \ufffd\ufffdGf)K\ufffds\ufffdEK\ufffd\ufffdB\ufffd\ufffd\ufffdj\ufffd'\ufffdS{I\ufffd\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd", "attack_vector": "postgres probe \u00b7 via TLS:8800 \u00b7 (sonde \/ probe)", "target_port_label": "8800 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 8800, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdSSn\ufffd\ufffd\ufffd\ufffdq\ufffd\ufffd\ufffd\ufffd\ufffd!_\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd=\ufffd\ufffd\ufffd)\ufffd \u0003\u0013\ufffd\ufffd\u0013G\u0012f)K\ufffds\u0015\ufffdEK\u0019\ufffd\ufffdB\ufffd\ufffd\ufffdj\ufffd'\ufffdS{I\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "7c1e207beb00684bbbe144f1b0abe1d5", "port": 8800, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:8800 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdSSn\ufffd\ufffd\ufffd\ufffdq\ufffd\ufffd\ufffd\ufffd\ufffd!_\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd*\ufffd=\ufffd\ufffd\ufffd)\ufffd \ufffd\ufffdGf)K\ufffds\ufffdEK\ufffd\ufffdB\ufffd\ufffd\ufffdj\ufffd'\ufffdS{I\ufffd\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd", "target_port_label": "8800 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "8800" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
16/06/2026 11:42:51 UTC	TCP	8800 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:8800 · (tentative d'exploit)	Élevée	Moyen · 53
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10… Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8800 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 53 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8800 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/ Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8800 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "6bd3154a88ac556741885ed569cfb89736385db4", "http_host_hash": "7bcd279d4417b56f827a93b5d7ca5fded437b0c7", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 191, "payload_entropy": 5.279724709743229, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "US", "dst_port": 8800, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.4, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 53, "tag_count": 3, "anomaly_count": 0, "campaign_key": "7a27eb74e2234f12ae8d79dbdb561a18de58e2d6", "event_fingerprint": "4b43e467612f766d4443dfb353e6c20217c01499", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 53 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "cb226636f11f4f631f065fb419a8bab8", "payload_hash": "10b0d8ab615ed12a17ea185651524102", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8800, "service": "http", "service_name": "http", "risk_score": 53 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8800\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "method": "GET", "path": "\/", "user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8800\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8800\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "evidence": { "method": "GET", "path": "\/", "user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8800\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8800\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ee859fa007afc78d7cab768f0a279e5047b89521", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36", "port": 8800, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8800\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "attack_vector": "exploit attempt \u00b7 via HTTP:8800 \u00b7 (tentative d'exploit)", "target_port_label": "8800 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 53 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 53, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8800, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36", "port": 8800, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:8800 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8800\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "target_port_label": "8800 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8800" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "asn_dc_heuristic": true }
16/06/2026 11:42:03 UTC	TCP	8800 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:8800 · (tentative d'exploit)	Élevée	Moyen · 53
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10… Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8800 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 53 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8800 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/ Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8800 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "6bd3154a88ac556741885ed569cfb89736385db4", "http_host_hash": "7bcd279d4417b56f827a93b5d7ca5fded437b0c7", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 191, "payload_entropy": 5.279724709743229, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "US", "dst_port": 8800, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.4, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 53, "tag_count": 3, "anomaly_count": 0, "campaign_key": "7a27eb74e2234f12ae8d79dbdb561a18de58e2d6", "event_fingerprint": "4b43e467612f766d4443dfb353e6c20217c01499", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 53 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "cb226636f11f4f631f065fb419a8bab8", "payload_hash": "10b0d8ab615ed12a17ea185651524102", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8800, "service": "http", "service_name": "http", "risk_score": 53 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8800\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "method": "GET", "path": "\/", "user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8800\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8800\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "evidence": { "method": "GET", "path": "\/", "user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8800\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8800\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ee859fa007afc78d7cab768f0a279e5047b89521", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36", "port": 8800, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8800\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "attack_vector": "exploit attempt \u00b7 via HTTP:8800 \u00b7 (tentative d'exploit)", "target_port_label": "8800 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 53 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 53, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8800, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36", "port": 8800, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:8800 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8800\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "target_port_label": "8800 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8800" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 96 }
16/06/2026 11:35:02 UTC	TCP	1025 · TERADATA	teradata	Sonde PostgreSQL postgres probe · via TERADATA:1025 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 35fa0a83e466acbe Émulateur TERADATA WAF — Recommandation Surveiller Tags net_teradata_probe teradata_emulated teradata_payload tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 1025 Chemin / cible — Service TERADATA Payload ��XW$ż��!��)wY�ut��8� �F�+.�o�TZ��L��9 ��ΉG&:�˺&̨̩�/�0�+�,�� /5� { Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��XW$ż��!��)wY�ut��8� �F�+.�o�TZ��L��9��ΉG&:�˺&̨̩�/�0�+�,�� /5� { Requête brute (extrait) ��XW$ż��!��)wY�ut��8� �F�+.�o�TZ��L��9 ��ΉG&:�˺&̨̩�/�0�+�,�� /5� { �+ 3&$ ��F��7�j��XH�0��@fW[��k � Meta JSON brut { "protocol_emulated": true, "emulator_response": "0000000c0000000000000000", "emulator_response_len": 12, "bytes_in": 243, "payload_entropy": 5.808297611775534, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "teradata", "app_proto": "teradata", "asn": 16509, "country": "US", "dst_port": 1025, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.7, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "a2268b95cbd4326ddee5f296a2032327c3583daa", "event_fingerprint": "a85579a7a3e45f06afb902a019cc7327fde3a2f5", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "teradata", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "47b2fddd191542ffb53123ca3325d33c", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "35fa0a83e466acbec1cfbb9016d550ab", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "35fa0a83e466acbec1cfbb9016d550ab", "tls_ja3": "771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 1025, "service": "teradata", "service_name": "teradata", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0001XW$\u017c\u0005\ufffd\ufffd!\ufffd\u0018\ufffd\ufffd\ufffd\ufffd\ufffd)wY\u0007\ufffdu\u000ft\ufffd\ufffd8\ufffd \ufffdF\ufffd+.\ufffdo\ufffdTZ\ufffd\ufffdL\ufffd\u001a\ufffd\ufffd9\u000b\u001e\f\ufffd\ufffd\u0389G&:\ufffd\u02fa\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0001XW$\u017c\u0005\ufffd\ufffd!\ufffd\u0018\ufffd\ufffd\ufffd\ufffd\ufffd)wY\u0007\ufffdu\u000ft\ufffd\ufffd8\ufffd \ufffdF\ufffd+.\ufffdo\ufffdTZ\ufffd\ufffdL\ufffd\u001a\ufffd\ufffd9\u000b\u001e\f\ufffd\ufffd\u0389G&:\ufffd\u02fa\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffdF\ufffd\ufffd7\ufffdj\ufffd\ufffd\u001dXH\ufffd0\ufffd\ufffd@fW\u000e[\u001f\u0000\ufffd\ufffdk \ufffd\u0003", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0001XW$\u017c\u0005\ufffd\ufffd!\ufffd\u0018\ufffd\ufffd\ufffd\ufffd\ufffd)wY\u0007\ufffdu\u000ft\ufffd\ufffd8\ufffd \ufffdF\ufffd+.\ufffdo\ufffdTZ\ufffd\ufffdL\ufffd\u001a\ufffd\ufffd9\u000b\u001e\f\ufffd\ufffd\u0389G&:\ufffd\u02fa\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8b791ddf964bfd1dcdafa7852ac6a26190058b07", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0001XW$\u017c\u0005\ufffd\ufffd!\ufffd\u0018\ufffd\ufffd\ufffd\ufffd\ufffd)wY\u0007\ufffdu\u000ft\ufffd\ufffd8\ufffd \ufffdF\ufffd+.\ufffdo\ufffdTZ\ufffd\ufffdL\ufffd\u001a\ufffd\ufffd9\u000b\u001e\f\ufffd\ufffd\u0389G&:\ufffd\u02fa\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 1025, "service": "teradata", "service_label_fr": "TERADATA" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffdXW$\u017c\ufffd\ufffd!\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd)wY\ufffdut\ufffd\ufffd8\ufffd \ufffdF\ufffd+.\ufffdo\ufffdTZ\ufffd\ufffdL\ufffd\ufffd\ufffd9\ufffd\ufffd\u0389G&:\ufffd\u02fa&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{", "attack_vector": "postgres probe \u00b7 via TERADATA:1025 \u00b7 (sonde \/ probe)", "target_port_label": "1025 \u00b7 TERADATA", "emulator_service": "teradata", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "teradata", "service_label_fr": "TERADATA", "dst_port": 1025, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-teradata", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0001XW$\u017c\u0005\ufffd\ufffd!\ufffd\u0018\ufffd\ufffd\ufffd\ufffd\ufffd)wY\u0007\ufffdu\u000ft\ufffd\ufffd8\ufffd \ufffdF\ufffd+.\ufffdo\ufffdTZ\ufffd\ufffdL\ufffd\u001a\ufffd\ufffd9\u000b\u001e\f\ufffd\ufffd\u0389G&:\ufffd\u02fa\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 1025, "service": "teradata", "service_label_fr": "TERADATA" }, "attack_vector": "postgres probe \u00b7 via TERADATA:1025 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffdXW$\u017c\ufffd\ufffd!\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd)wY\ufffdut\ufffd\ufffd8\ufffd \ufffdF\ufffd+.\ufffdo\ufffdTZ\ufffd\ufffdL\ufffd\ufffd\ufffd9\ufffd\ufffd\u0389G&:\ufffd\u02fa&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{", "target_port_label": "1025 \u00b7 TERADATA", "emulator_service": "teradata", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "teradata", "service_banner": "honeypot-teradata", "service_os": "linux", "dst_port": "1025" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_teradata_probe", "teradata_emulated", "teradata_payload", "tls_clienthello" ], "asn_dc_heuristic": true }
16/06/2026 11:33:20 UTC	TCP	1025 · TERADATA	teradata	Sonde PostgreSQL postgres probe · via TERADATA:1025 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TERADATA WAF — Recommandation Surveiller Tags net_teradata_probe teradata_emulated teradata_payload tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 1025 Chemin / cible — Service TERADATA Payload ��?��(>p``r6�T�N~ZB�g@�G� �P ѫO�;��eT=��H�W� �N��ۀE&̨̩�/�0�+�,�� /5� � Pourquoi cette classification :* Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��?��(>p``r6�T�N~ZB�g@�G� �P ѫO�;��eT=��H�W� �N��ۀE&̨̩�/�0�+�,�� /5� � Requête brute (extrait) ��?��(>p``r6�T�N~ZB�g@�G� �P ѫO�;��eT=��H�W� �N��ۀE&̨̩�/�0�+�,�� /5� � � h2http/1.1+ 3&$ �O2GH��Cp��}�.�6��k Meta JSON brut { "protocol_emulated": true, "emulator_response": "0000000c0000000000000000", "emulator_response_len": 12, "bytes_in": 261, "payload_entropy": 5.851067456449574, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "teradata", "app_proto": "teradata", "asn": 16509, "country": "US", "dst_port": 1025, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.7, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "a2268b95cbd4326ddee5f296a2032327c3583daa", "event_fingerprint": "a85579a7a3e45f06afb902a019cc7327fde3a2f5", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "teradata", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "874d76ff26ae94a046fe7824e4ec95ca", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 1025, "service": "teradata", "service_name": "teradata", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd?\ufffd\ufffd\ufffd\ufffd(>p\u0006``r6\ufffd\u0011T\ufffdN~ZB\ufffdg\u000f@\ufffdG\ufffd \ufffdP\r\u046bO\ufffd\u0003;\ufffd\ufffdeT=\ufffd\ufffd\ufffdH\ufffdW\u0018\ufffd\n\ufffd\u001bN\ufffd\ufffd\u06c0E\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd?\ufffd\ufffd\ufffd\ufffd(>p\u0006``r6\ufffd\u0011T\ufffdN~ZB\ufffdg\u000f@\ufffdG\ufffd \ufffdP\r\u046bO\ufffd\u0003;\ufffd\ufffdeT=\ufffd\ufffd\ufffdH\ufffdW\u0018\ufffd\n\ufffd\u001bN\ufffd\ufffd\u06c0E\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0010\u0000\u000e\u0000\f\u0002h2\bhttp\/1.1\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdO2G\u0013H\ufffd\ufffd\ufffdC\u001fp\ufffd\u0013\ufffd}\ufffd.\ufffd\u00016\ufffd\ufffd\ufffdk", "payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd?\ufffd\ufffd\ufffd\ufffd(>p\u0006``r6\ufffd\u0011T\ufffdN~ZB\ufffdg\u000f@\ufffdG\ufffd \ufffdP\r\u046bO\ufffd\u0003;\ufffd\ufffdeT=\ufffd\ufffd\ufffdH\ufffdW\u0018\ufffd\n\ufffd\u001bN\ufffd\ufffd\u06c0E\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7efcda4be5d04a04c1962683e146e34381603bab", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd?\ufffd\ufffd\ufffd\ufffd(>p\u0006``r6\ufffd\u0011T\ufffdN~ZB\ufffdg\u000f@\ufffdG\ufffd \ufffdP\r\u046bO\ufffd\u0003;\ufffd\ufffdeT=\ufffd\ufffd\ufffdH\ufffdW\u0018\ufffd\n\ufffd\u001bN\ufffd\ufffd\u06c0E\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "port": 1025, "service": "teradata", "service_label_fr": "TERADATA" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd?\ufffd\ufffd\ufffd\ufffd(>p``r6\ufffdT\ufffdN~ZB\ufffdg@\ufffdG\ufffd \ufffdP\r\u046bO\ufffd;\ufffd\ufffdeT=\ufffd\ufffd\ufffdH\ufffdW\ufffd\n\ufffdN\ufffd\ufffd\u06c0E&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd", "attack_vector": "postgres probe \u00b7 via TERADATA:1025 \u00b7 (sonde \/ probe)", "target_port_label": "1025 \u00b7 TERADATA", "emulator_service": "teradata", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "teradata", "service_label_fr": "TERADATA", "dst_port": 1025, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-teradata", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd?\ufffd\ufffd\ufffd\ufffd(>p\u0006``r6\ufffd\u0011T\ufffdN~ZB\ufffdg\u000f@\ufffdG\ufffd \ufffdP\r\u046bO\ufffd\u0003;\ufffd\ufffdeT=\ufffd\ufffd\ufffdH\ufffdW\u0018\ufffd\n\ufffd\u001bN\ufffd\ufffd\u06c0E\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "port": 1025, "service": "teradata", "service_label_fr": "TERADATA" }, "attack_vector": "postgres probe \u00b7 via TERADATA:1025 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd?\ufffd\ufffd\ufffd\ufffd(>p``r6\ufffdT\ufffdN~ZB\ufffd*g@\ufffdG\ufffd \ufffdP\r\u046bO\ufffd;\ufffd\ufffdeT=\ufffd\ufffd\ufffdH\ufffdW\ufffd\n\ufffdN\ufffd\ufffd\u06c0E&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd", "target_port_label": "1025 \u00b7 TERADATA", "emulator_service": "teradata", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "teradata", "service_banner": "honeypot-teradata", "service_os": "linux", "dst_port": "1025" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_teradata_probe", "teradata_emulated", "teradata_payload", "tls_clienthello" ], "asn_dc_heuristic": true }
16/06/2026 11:32:16 UTC	TCP	1025 · TERADATA	teradata	teradata probe teradata probe · via TERADATA:1025 · (sonde / probe)	Élevée	Faible · 34
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TERADATA WAF — Recommandation Surveiller Tags http_get_probe mozi_pattern net_teradata_probe teradata_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 1025 Chemin / cible — Service TERADATA Payload GET / HTTP/1.1 Host: 62.3.50.33:1025 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/ Pourquoi cette classification : Type « teradata_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 34 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:1025 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/ Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:1025 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "0000000c0000000000000000", "emulator_response_len": 12, "bytes_in": 191, "payload_entropy": 5.25922132251342, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "teradata", "app_proto": "teradata", "asn": 16509, "country": "US", "dst_port": 1025, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 2.1, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 34, "tag_count": 5, "anomaly_count": 0, "campaign_key": "93e731b16bb6a862a1011d1b1df80ec6e779c3d6", "event_fingerprint": "a85579a7a3e45f06afb902a019cc7327fde3a2f5", "classification_reason": "Type \u00ab teradata_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 34 }, "named_classification_skipped": false, "service_name": "teradata", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "609dc28b41783c53d3ca11529eee9aa0", "path_pattern_hash": "36082129deb648fb4229f9345cdd0a13" }, "target_context": { "dst_port": 1025, "service": "teradata", "service_name": "teradata", "risk_score": 34 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1025\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1025\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1025\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1025\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1025\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "classification_reason": "Type \u00ab teradata_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "91fc69205725bb54f20498fb6f32f0ac3e2bb17b", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1025\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "port": 1025, "service": "teradata", "service_label_fr": "TERADATA" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1025\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "attack_vector": "teradata probe \u00b7 via TERADATA:1025 \u00b7 (sonde \/ probe)", "target_port_label": "1025 \u00b7 TERADATA", "emulator_service": "teradata", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab teradata_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab teradata_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 34\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 34 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 34, "risk_label": "Faible", "service_name": "teradata", "service_label_fr": "TERADATA", "dst_port": 1025, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-teradata", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1025\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "port": 1025, "service": "teradata", "service_label_fr": "TERADATA" }, "attack_vector": "teradata probe \u00b7 via TERADATA:1025 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1025\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "target_port_label": "1025 \u00b7 TERADATA", "emulator_service": "teradata", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "teradata", "service_banner": "honeypot-teradata", "service_os": "linux", "dst_port": "1025" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe", "mozi_pattern", "net_teradata_probe", "teradata_emulated", "teradata_payload" ], "asn_dc_heuristic": true }
16/06/2026 11:31:26 UTC	TCP	1025 · TERADATA	teradata	teradata probe teradata probe · via TERADATA:1025 · (sonde / probe)	Élevée	Faible · 34
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TERADATA WAF — Recommandation Surveiller Tags http_get_probe mozi_pattern net_teradata_probe teradata_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 1025 Chemin / cible — Service TERADATA Payload GET / HTTP/1.1 Host: 62.3.50.33:1025 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/ Pourquoi cette classification : Type « teradata_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 34 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:1025 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/ Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:1025 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "0000000c0000000000000000", "emulator_response_len": 12, "bytes_in": 191, "payload_entropy": 5.25922132251342, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "teradata", "app_proto": "teradata", "asn": 16509, "country": "US", "dst_port": 1025, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 2.1, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 34, "tag_count": 5, "anomaly_count": 0, "campaign_key": "93e731b16bb6a862a1011d1b1df80ec6e779c3d6", "event_fingerprint": "a85579a7a3e45f06afb902a019cc7327fde3a2f5", "classification_reason": "Type \u00ab teradata_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 34 }, "named_classification_skipped": false, "service_name": "teradata", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "609dc28b41783c53d3ca11529eee9aa0", "path_pattern_hash": "36082129deb648fb4229f9345cdd0a13" }, "target_context": { "dst_port": 1025, "service": "teradata", "service_name": "teradata", "risk_score": 34 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1025\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1025\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1025\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1025\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1025\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "classification_reason": "Type \u00ab teradata_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "91fc69205725bb54f20498fb6f32f0ac3e2bb17b", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1025\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "port": 1025, "service": "teradata", "service_label_fr": "TERADATA" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1025\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "attack_vector": "teradata probe \u00b7 via TERADATA:1025 \u00b7 (sonde \/ probe)", "target_port_label": "1025 \u00b7 TERADATA", "emulator_service": "teradata", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab teradata_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab teradata_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 34\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 34 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 34, "risk_label": "Faible", "service_name": "teradata", "service_label_fr": "TERADATA", "dst_port": 1025, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-teradata", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1025\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "port": 1025, "service": "teradata", "service_label_fr": "TERADATA" }, "attack_vector": "teradata probe \u00b7 via TERADATA:1025 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1025\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "target_port_label": "1025 \u00b7 TERADATA", "emulator_service": "teradata", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "teradata", "service_banner": "honeypot-teradata", "service_os": "linux", "dst_port": "1025" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe", "mozi_pattern", "net_teradata_probe", "teradata_emulated", "teradata_payload" ], "asn_dc_heuristic": true }
16/06/2026 11:30:11 UTC	TCP	1025 · TERADATA	teradata	teradata probe teradata probe · via TERADATA:1025 · (sonde / probe)	Élevée	Faible · 24
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur TERADATA WAF — Recommandation Surveiller Tags net_teradata_probe teradata_emulated teradata_payload Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 1025 Chemin / cible — Service TERADATA Pourquoi cette classification : Type « teradata_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 24 Confiance : Confiance 0 % — 3 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "0000000c0000000000000000", "emulator_response_len": 12, "bytes_in": 1, "payload_entropy": 0, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "teradata", "app_proto": "teradata", "asn": 16509, "country": "US", "dst_port": 1025, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.4, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0 }, "risk_score": 24, "tag_count": 3, "anomaly_count": 0, "campaign_key": "1a0a0f62e58d15719368a3ab1a44603f819e9fc2", "event_fingerprint": "a85579a7a3e45f06afb902a019cc7327fde3a2f5", "classification_reason": "Type \u00ab teradata_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 24 }, "named_classification_skipped": false, "service_name": "teradata", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "01ba4719c80b6fe911b091a7c05124b6", "path_pattern_hash": "36082129deb648fb4229f9345cdd0a13" }, "target_context": { "dst_port": 1025, "service": "teradata", "service_name": "teradata", "risk_score": 24 }, "payload_preview": "\n", "request_sample": "\n", "evidence": { "request_sample": "\n", "classification_reason": "Type \u00ab teradata_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "35457a8e9e965386f3f5fd87165b2cd1c56b9dd8", "protocol_details": { "port": 1025, "service": "teradata", "service_label_fr": "TERADATA" }, "attack_vector": "teradata probe \u00b7 via TERADATA:1025 \u00b7 (sonde \/ probe)", "target_port_label": "1025 \u00b7 TERADATA", "emulator_service": "teradata", "confidence_reason": "Confiance 0 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab teradata_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab teradata_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 24 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 24, "risk_label": "Faible", "service_name": "teradata", "service_label_fr": "TERADATA", "dst_port": 1025, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-teradata", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "port": 1025, "service": "teradata", "service_label_fr": "TERADATA" }, "attack_vector": "teradata probe \u00b7 via TERADATA:1025 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "1025 \u00b7 TERADATA", "emulator_service": "teradata", "confidence_reason": "Confiance 0 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "teradata", "service_banner": "honeypot-teradata", "service_os": "linux", "dst_port": "1025" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_teradata_probe", "teradata_emulated", "teradata_payload" ], "asn_dc_heuristic": true }

3.19.68.187

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence