|
|
TCP |
2086
|
—
|
Scan de ports
port scan syn · port 2086 · (reconnaissance)
|
Faible
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
2086
Chemin / cible
—
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +18
Risque capteur
Moyen
· 42
Confiance : Confiance élevée (100 %) — signaux convergents
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "Amazon.com, Inc.",
"service": null,
"app_proto": null,
"asn": 16509,
"country": "KR",
"dst_port": 2086,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 1.4,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0
},
"risk_score": 42,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "7461ef7ab1c7ab6a3c4a9e619df57905c7fd91ec",
"event_fingerprint": "d4b04e5049a55cc0a97c40efc93b31751eaa746e",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0,
"risk_score": 42,
"correlation_boost": 18
},
"named_classification_skipped": false,
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "KR",
"asn": 16509,
"org": "Amazon.com, Inc.",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 2086,
"risk_score": 42
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ae75b4f52310efc3171dab716dd194bffba13dcc",
"protocol_details": {
"port": 2086
},
"attack_vector": "port scan syn \u00b7 port 2086 \u00b7 (reconnaissance)",
"target_port_label": "2086",
"confidence_reason": "Confiance \u00e9lev\u00e9e (100 %) \u2014 signaux convergents",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 multi-protocole (6 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0,
"risk_score": 42,
"correlation_boost": 18
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": null,
"service_label_fr": null,
"dst_port": 2086,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +18",
"protocol_details": {
"port": 2086
},
"attack_vector": "port scan syn \u00b7 port 2086 \u00b7 (reconnaissance)",
"evidence_snippet": null,
"target_port_label": "2086",
"emulator_service": null,
"confidence_reason": "Confiance \u00e9lev\u00e9e (100 %) \u2014 signaux convergents",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "generic",
"service_banner": "honeypot",
"service_os": "linux",
"dst_port": "2086"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 6,
"port_scan_ports_sample": [
2077,
2078,
2083,
2086,
2087,
2095
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 6,
"scan_velocity_ports_per_s": 60,
"multi_protocol_correlation": true,
"multi_protocol_count": 6,
"multi_protocol_sample": [
"cpanel-ssl",
"cpanel-whm",
"port:2077",
"port:2078",
"port:2086",
"port:2095"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 18,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"asn_dc_heuristic": true
}
|
|
|
TCP |
2096
|
—
|
Scan de ports
port scan syn · port 2096 · (reconnaissance)
|
Faible
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
2096
Chemin / cible
—
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +18
Risque capteur
Moyen
· 42
Confiance : Confiance élevée (100 %) — signaux convergents
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "Amazon.com, Inc.",
"service": null,
"app_proto": null,
"asn": 16509,
"country": "KR",
"dst_port": 2096,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 3,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0
},
"risk_score": 42,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "b2d3d08c24b165fc722efd535df6de9a0712b673",
"event_fingerprint": "459b248b40f6c3504248ef0f16a45d6a966e68f6",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0,
"risk_score": 42,
"correlation_boost": 18
},
"named_classification_skipped": false,
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "KR",
"asn": 16509,
"org": "Amazon.com, Inc.",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 2096,
"risk_score": 42
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "4f00d90a2248967d152928cebf27be52b96caffe",
"protocol_details": {
"port": 2096
},
"attack_vector": "port scan syn \u00b7 port 2096 \u00b7 (reconnaissance)",
"target_port_label": "2096",
"confidence_reason": "Confiance \u00e9lev\u00e9e (100 %) \u2014 signaux convergents",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 multi-protocole (7 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0,
"risk_score": 42,
"correlation_boost": 18
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": null,
"service_label_fr": null,
"dst_port": 2096,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +18",
"protocol_details": {
"port": 2096
},
"attack_vector": "port scan syn \u00b7 port 2096 \u00b7 (reconnaissance)",
"evidence_snippet": null,
"target_port_label": "2096",
"emulator_service": null,
"confidence_reason": "Confiance \u00e9lev\u00e9e (100 %) \u2014 signaux convergents",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "generic",
"service_banner": "honeypot",
"service_os": "linux",
"dst_port": "2096"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 7,
"port_scan_ports_sample": [
2077,
2078,
2083,
2086,
2087,
2095,
2096
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 7,
"scan_velocity_ports_per_s": 70,
"multi_protocol_correlation": true,
"multi_protocol_count": 7,
"multi_protocol_sample": [
"cpanel-ssl",
"cpanel-whm",
"port:2077",
"port:2078",
"port:2086",
"port:2095",
"port:2096"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 18,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"asn_dc_heuristic": true
}
|
|
|
TCP |
2077
|
—
|
Sonde port
Sonde port · port 2077 · (sonde / probe)
|
Faible
|
Moyen · 44
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
2077
Chemin / cible
—
Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Moyen
· 44
Confiance : Confiance modérée (50 %) — signal principal unique
Signaux
Fp Port Probe Noise
Single Port
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "Amazon.com, Inc.",
"service": null,
"app_proto": null,
"asn": 16509,
"country": "KR",
"dst_port": 2077,
"risk_waf": 8,
"risk_classification": 48,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 0,
"risk_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0
},
"risk_score": 44,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "f1191dfb709b7ac67d5ed9918ad68b24cba18c54",
"event_fingerprint": "07d88d1df5a8bacf3c8aed6c9609c080b5d06a2a",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0,
"risk_score": 44
},
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "KR",
"asn": 16509,
"org": "Amazon.com, Inc.",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d"
},
"target_context": {
"dst_port": 2077,
"risk_score": 44
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "77c8a4d601ddd7259755ea69ce286aa89631a321",
"protocol_details": {
"port": 2077
},
"attack_vector": "Sonde port \u00b7 port 2077 \u00b7 (sonde \/ probe)",
"target_port_label": "2077",
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0,
"risk_score": 44
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": null,
"service_label_fr": null,
"dst_port": 2077,
"protocol_emulated": null,
"tags_summary": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"tags_summary_labels_fr": [
"Fp Port Probe Noise",
"Single Port"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"port": 2077
},
"attack_vector": "Sonde port \u00b7 port 2077 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "2077",
"emulator_service": null,
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "generic",
"service_banner": "honeypot",
"service_os": "linux",
"dst_port": "2077"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"asn_dc_heuristic": true
}
|
|
|
TCP |
2083 · CPANEL SSL
|
cpanel-ssl
|
cpanel probe
cpanel probe · via CPANEL SSL:2083 · (sonde / probe)
|
Élevée
|
Faible · 34
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
CPANEL-SSL
WAF
—
Recommandation
Surveiller
Tags
cpanel_ssl_emulated
net_cpanel_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
2083
Chemin / cible
—
Pourquoi cette classification : Type « cpanel_probe » (signaux protocolaires) · confiance 0%
Confiance classification
8%
Corrélation +8
Risque capteur
Faible
· 34
Confiance : Confiance 0 % — 2 signal(aux) capteur
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e",
"emulator_response_len": 125,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "Amazon.com, Inc.",
"service": "cpanel-ssl",
"app_proto": "cpanel-ssl",
"asn": 16509,
"country": "KR",
"dst_port": 2083,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 1.7,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 34,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "c0f9f6f627a73b24caa302338d5283f47efa634a",
"event_fingerprint": "80d2812b66b9080b0842670f25ce9d4d3386dae1",
"classification_reason": "Type \u00ab cpanel_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0.08,
"classification_confidence": 0.08,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 34,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "cpanel-ssl",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "KR",
"asn": 16509,
"org": "Amazon.com, Inc.",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "e7139612faef5d92b03716e3491ff506"
},
"target_context": {
"dst_port": 2083,
"service": "cpanel-ssl",
"service_name": "cpanel-ssl",
"risk_score": 34
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"enterprise_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b54d026a0a22eb5273cf5f714c1d3d76f510f71f",
"protocol_details": {
"port": 2083,
"service": "cpanel-ssl",
"service_label_fr": "CPANEL SSL"
},
"attack_vector": "cpanel probe \u00b7 via CPANEL SSL:2083 \u00b7 (sonde \/ probe)",
"target_port_label": "2083 \u00b7 CPANEL SSL",
"emulator_service": "cpanel-ssl",
"confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab cpanel_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab cpanel_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 34\/100",
"confidence_pct": 8,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 34,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 34,
"risk_label": "Faible",
"service_name": "cpanel-ssl",
"service_label_fr": "CPANEL SSL",
"dst_port": 2083,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-cpanel-ssl",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"port": 2083,
"service": "cpanel-ssl",
"service_label_fr": "CPANEL SSL"
},
"attack_vector": "cpanel probe \u00b7 via CPANEL SSL:2083 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "2083 \u00b7 CPANEL SSL",
"emulator_service": "cpanel-ssl",
"confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": "Confiance 8 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "cpanel_ssl",
"service_banner": "honeypot-cpanel-ssl",
"service_os": "linux",
"dst_port": "2083"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"cpanel-ssl",
"port:2077"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"cpanel_ssl_emulated",
"net_cpanel_probe"
],
"asn_dc_heuristic": true
}
|