Renseignement sur les menaces

Corée du Sud

3.38.144.20

FAI Amazon.com, Inc. Première vue 18/06/2026 00:06 UTC Dernière vue 18/06/2026 00:07 UTC Risque Élevé

Période analysée : 2026-06-11 → 2026-06-18

Activité suspecte — risque 42/100 (Moyen) — MITRE T1046 — confiance 100 % — via CPANEL WHM — multi-protocole (8 protocoles · 5 min)

Campagne multi-ports détectée sur une fenêtre courte

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Élevé · Risque max (7j) Élevé

Synthèse exécutive

Profil de menace

Score de risque 67/100 Élevé

Première observation 18/06/2026 00:06 UTC

Dernière observation 18/06/2026 00:07 UTC

Événements (période) 54

MITRE ATT&CK principal T1046 49 occurrences

Activité suspecte — risque 42/100 (Moyen) — MITRE T1046 — confiance 100 % — via CPANEL WHM — multi-protocole (8 protocoles · 5 min)

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « port_scan_syn » (signaux protocolaires) · confiance 100%

Confiance 100 % — Score WAF 8 · Bonus corrélation +14

Comparaison ASN / FAI

ASN 16509 · 3.36.0.0/14 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 54 événements sur la période pour cette IP.

3.130.168.2 Tentative d'exploit 18/06/2026 17:32 UTC
65.1.138.190 Sonde RDP 18/06/2026 17:27 UTC
98.80.4.125 xmpp probe 18/06/2026 17:13 UTC
3.87.27.156 minecraft probe 18/06/2026 17:12 UTC
3.134.216.108 Sonde PostgreSQL 18/06/2026 17:08 UTC
54.161.68.68 paloalto expedition 18/06/2026 16:45 UTC
18.218.118.203 Tentative d'exploit 18/06/2026 16:33 UTC
16.58.56.214 Sonde PostgreSQL 18/06/2026 16:32 UTC

Événements (filtres)

Première observation

18/06/2026 00:06 UTC

Dernière observation

18/06/2026 00:07 UTC

Dernière activité (filtres)

18/06/2026 00:07 UTC

Événements 7j

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 44 CPANEL WHM TCP 4 CPANEL SSL TCP 1

HTTP

CPANEL WHM

CPANEL SSL

Géolocalisation

Origine réseau déclarée

Corée du Sud unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Amazon.com, Inc. 0 Port 2077 port_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Reconnaissance

Chaîne d'attaque

Reconnaissance

Vecteur d'attaque

port scan syn · via CPANEL WHM:2087 · (reconnaissance)

Détails protocole

Aperçu payload

��k��R��Qe��Ou��R{ M�h@�,��+*:bdV�'�,m�zSݞ y55�+�/�,�0̨̩� �� [ �

Port / service

2087 · CPANEL WHM

Service émulé

CPANEL-WHM

Raison confiance

Confiance 100 % — 4 signal(aux) capteur

Technique MITRE

T1046

Persona capteur

mail.sensor-1.internal

Corrélations comportementales

Campagne multi-ports Multi-protocole corrélé (5 min)

Recommandation

Surveiller

Rôle capteur

Renseignement menaces

Signaux de précision

MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S

Confiance

100% Corrélation +14

Famille de menace

scanner

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

54 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

54 événement(s) — page 1/2

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
18/06/2026 00:07:04 UTC	TCP	2087 · CPANEL WHM	cpanel-whm	Scan de ports port scan syn · via CPANEL WHM:2087 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur CPANEL-WHM WAF — Recommandation Surveiller Tags cpanel_whm_emulated cpanel_whm_payload net_cpanel_probe tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2087 Chemin / cible — Service CPANEL WHM Payload ��k��R��Qe��Ou��R{ M�h@�,��+:bdV�'�,m�zSݞ y55�+�/�,�0̨̩� �� [ � Pourquoi cette classification :* Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��k��R��Qe��Ou��R{ M�h@�,��+:bdV�'�,m�zSݞ y55�+�/�,�0̨̩� �� [� Requête brute (extrait) ��k��R��Qe��Ou��R{ M�h@�,��+:bdV�'�,m�zSݞ y55�+�/�,�0̨̩� �� [ � � 2+3�� a�_�-��BB�?P ��j�%O8 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "bytes_in": 1479, "payload_entropy": 7.714702535236, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "cpanel-whm", "app_proto": "cpanel-whm", "asn": 16509, "country": "KR", "dst_port": 2087, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "51584d32aeb6bcba72953119cc78a0e0836a8f64", "event_fingerprint": "bd94c1be47794e5b05816ea1bc287e14296ba082", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 42, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "cpanel-whm", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "2ee83d4c0cad2b2ce002ff2e1216d33d", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 2087, "service": "cpanel-whm", "service_name": "cpanel-whm", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffdk\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdR\u0013\ufffd\ufffd\u000f\ufffdQ\u0018e\ufffd\ufffd\ufffdOu\ufffd\ufffd\u0001\u0013\ufffd\ufffd\ufffd\ufffdR{ M\u0014\ufffdh@\ufffd,\ufffd\u0019\ufffd\ufffd+:bdV\ufffd'\ufffd,m\ufffdz\u001aS\u075e\ty55\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005[\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffdk\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdR\u0013\ufffd\ufffd\u000f\ufffdQ\u0018e\ufffd\ufffd\ufffdOu\ufffd\ufffd\u0001\u0013\ufffd\ufffd\ufffd\ufffdR{ M\u0014\ufffdh@\ufffd,\ufffd\u0019\ufffd\ufffd+:bdV\ufffd'\ufffd,m\ufffdz\u001aS\u075e\ty55\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005[\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\f\u0000\n\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u0016\u0000\u0014\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u00002\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0004\ufffd\u0004\ufffd\u0011\ufffd\u0004\ufffd\u0006\ufffd\u000b\ufffda\ufffd_\ufffd-\ufffd\ufffd\u0013\ufffd\ufffdBB\ufffd?P\f\u001c\ufffd\ufffdj\ufffd%O\u00048", "payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffdk\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdR\u0013\ufffd\ufffd\u000f\ufffdQ\u0018e\ufffd\ufffd\ufffdOu\ufffd\ufffd\u0001\u0013\ufffd\ufffd\ufffd\ufffdR{ M\u0014\ufffdh@\ufffd,\ufffd\u0019\ufffd\ufffd+:bdV\ufffd'\ufffd,m\ufffdz\u001aS\u075e\ty55\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005[\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "04693fa0ba42f955f8c926de4eb0a91d56364d3b", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffdk\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdR\u0013\ufffd\ufffd\u000f\ufffdQ\u0018e\ufffd\ufffd\ufffdOu\ufffd\ufffd\u0001\u0013\ufffd\ufffd\ufffd\ufffdR{ M\u0014\ufffdh@\ufffd,\ufffd\u0019\ufffd\ufffd+:bdV\ufffd'\ufffd,m\ufffdz\u001aS\u075e\ty55\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005[\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "port": 2087, "service": "cpanel-whm", "service_label_fr": "CPANEL WHM" }, "evidence_snippet": "\ufffd\ufffd\ufffdk\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdR\ufffd\ufffd\ufffdQe\ufffd\ufffd\ufffdOu\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdR{ M\ufffdh@\ufffd,\ufffd\ufffd\ufffd+:bdV\ufffd'\ufffd,m\ufffdzS\u075e\ty55\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd[\ufffd", "attack_vector": "port scan syn \u00b7 via CPANEL WHM:2087 \u00b7 (reconnaissance)", "target_port_label": "2087 \u00b7 CPANEL WHM", "emulator_service": "cpanel-whm", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via CPANEL WHM \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 42, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "cpanel-whm", "service_label_fr": "CPANEL WHM", "dst_port": 2087, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-cpanel-whm", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffdk\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdR\u0013\ufffd\ufffd\u000f\ufffdQ\u0018e\ufffd\ufffd\ufffdOu\ufffd\ufffd\u0001\u0013\ufffd\ufffd\ufffd\ufffdR{ M\u0014\ufffdh@\ufffd,\ufffd\u0019\ufffd\ufffd+:bdV\ufffd'\ufffd,m\ufffdz\u001aS\u075e\ty55\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005[\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "port": 2087, "service": "cpanel-whm", "service_label_fr": "CPANEL WHM" }, "attack_vector": "port scan syn \u00b7 via CPANEL WHM:2087 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffd\ufffdk\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdR\ufffd\ufffd\ufffdQe\ufffd\ufffd\ufffdOu\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdR{ M\ufffdh@\ufffd,\ufffd\ufffd\ufffd+*:bdV\ufffd'\ufffd,m\ufffdzS\u075e\ty55\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd[\ufffd", "target_port_label": "2087 \u00b7 CPANEL WHM", "emulator_service": "cpanel-whm", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +14", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "cpanel_whm", "service_banner": "honeypot-cpanel-whm", "service_os": "linux", "dst_port": "2087" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "cpanel_whm_emulated", "cpanel_whm_payload", "net_cpanel_probe", "tls_clienthello" ], "asn_dc_heuristic": true }
18/06/2026 00:07:01 UTC	TCP	2087 · CPANEL WHM	cpanel-whm	Scan de ports port scan syn · via CPANEL WHM:2087 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur CPANEL-WHM WAF — Recommandation Surveiller Tags cpanel_whm_emulated net_cpanel_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2087 Chemin / cible — Service CPANEL WHM Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "cpanel-whm", "app_proto": "cpanel-whm", "asn": 16509, "country": "KR", "dst_port": 2087, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.3, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "3cc87787de2487ea19b1ca6395cfb4b7f29c83e1", "event_fingerprint": "bd94c1be47794e5b05816ea1bc287e14296ba082", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "cpanel-whm", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 2087, "service": "cpanel-whm", "service_name": "cpanel-whm", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ba57e2fd8ac1f8e44ea7217c6e5d041b38e985cf", "protocol_details": { "port": 2087, "service": "cpanel-whm", "service_label_fr": "CPANEL WHM" }, "attack_vector": "port scan syn \u00b7 via CPANEL WHM:2087 \u00b7 (reconnaissance)", "target_port_label": "2087 \u00b7 CPANEL WHM", "emulator_service": "cpanel-whm", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via CPANEL WHM \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "cpanel-whm", "service_label_fr": "CPANEL WHM", "dst_port": 2087, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-cpanel-whm", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "port": 2087, "service": "cpanel-whm", "service_label_fr": "CPANEL WHM" }, "attack_vector": "port scan syn \u00b7 via CPANEL WHM:2087 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "2087 \u00b7 CPANEL WHM", "emulator_service": "cpanel-whm", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +14", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "cpanel_whm", "service_banner": "honeypot-cpanel-whm", "service_os": "linux", "dst_port": "2087" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "cpanel_whm_emulated", "net_cpanel_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:07:01 UTC	TCP	2087 · CPANEL WHM	cpanel-whm	Scan de ports port scan syn · via CPANEL WHM:2087 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur CPANEL-WHM WAF — Recommandation Surveiller Tags cpanel_whm_emulated cpanel_whm_payload net_cpanel_probe tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2087 Chemin / cible — Service CPANEL WHM Payload ��Z8��^7U�Ihj^��5߃�W<� ��b��r�V#�Y��L&?aI��"p�+�/�,�0̨̩� �� [ � Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��Z8��^7U�Ihj^��5߃�W<� ��b��r�V#�Y��L&?aI��"p�+�/�,�0̨̩� �� [� Requête brute (extrait) ��Z8��^7U�Ihj^��5߃�W<� ��b��r�V#�Y��L&?aI��"p�+�/�,�0̨̩� �� [ � � 2+3��dJyz��9�2ĵh[!�>�LN@��D�l Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "bytes_in": 1479, "payload_entropy": 7.7362045398207835, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "cpanel-whm", "app_proto": "cpanel-whm", "asn": 16509, "country": "KR", "dst_port": 2087, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "51584d32aeb6bcba72953119cc78a0e0836a8f64", "event_fingerprint": "bd94c1be47794e5b05816ea1bc287e14296ba082", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 42, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "cpanel-whm", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3e57c1377d1df69c0d55b17cd78f43dc", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 2087, "service": "cpanel-whm", "service_name": "cpanel-whm", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffdZ\u001b8\ufffd\ufffd\ufffd\ufffd\ufffd^\u00117U\ufffdIhj^\ufffd\ufffd\u00115\u07c3\u0014\ufffdW<\u000e\u0019\u0000\ufffd \u0018\r\u0001\ufffd\ufffd\u0007b\ufffd\ufffd\ufffd\ufffd\ufffdr\ufffdV#\ufffdY\ufffd\ufffd\ufffd\u0000L&?aI\ufffd\ufffd\"p\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005[\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffdZ\u001b8\ufffd\ufffd\ufffd\ufffd\ufffd^\u00117U\ufffdIhj^\ufffd\ufffd\u00115\u07c3\u0014\ufffdW<\u000e\u0019\u0000\ufffd \u0018\r\u0001\ufffd\ufffd\u0007b\ufffd\ufffd\ufffd\ufffd\ufffdr\ufffdV#\ufffdY\ufffd\ufffd\ufffd\u0000L&?aI\ufffd\ufffd\"p\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005[\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\f\u0000\n\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u0016\u0000\u0014\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u00002\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0004\ufffd\u0004\ufffd\u0011\ufffd\u0004\ufffddJyz\ufffd\ufffd\u00169\ufffd\u00002\u0135h[!\ufffd>\ufffd\u0017LN@\ufffd\ufffdD\ufffd\u0013l", "payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffdZ\u001b8\ufffd\ufffd\ufffd\ufffd\ufffd^\u00117U\ufffdIhj^\ufffd\ufffd\u00115\u07c3\u0014\ufffdW<\u000e\u0019\u0000\ufffd \u0018\r\u0001\ufffd\ufffd\u0007b\ufffd\ufffd\ufffd\ufffd\ufffdr\ufffdV#\ufffdY\ufffd\ufffd\ufffd\u0000L&?aI\ufffd\ufffd\"p\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005[\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "27e900fed9f0fc5828b65d103c045f79db426dd5", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffdZ\u001b8\ufffd\ufffd\ufffd\ufffd\ufffd^\u00117U\ufffdIhj^\ufffd\ufffd\u00115\u07c3\u0014\ufffdW<\u000e\u0019\u0000\ufffd \u0018\r\u0001\ufffd\ufffd\u0007b\ufffd\ufffd\ufffd\ufffd\ufffdr\ufffdV#\ufffdY\ufffd\ufffd\ufffd\u0000L&?aI\ufffd\ufffd\"p\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005[\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "port": 2087, "service": "cpanel-whm", "service_label_fr": "CPANEL WHM" }, "evidence_snippet": "\ufffd\ufffd\ufffdZ8\ufffd\ufffd\ufffd\ufffd\ufffd^7U\ufffdIhj^\ufffd\ufffd5\u07c3\ufffdW<\ufffd \r\ufffd\ufffdb\ufffd\ufffd\ufffd\ufffd\ufffdr\ufffdV#\ufffdY\ufffd\ufffd\ufffdL&?aI\ufffd\ufffd\"p\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd[\ufffd", "attack_vector": "port scan syn \u00b7 via CPANEL WHM:2087 \u00b7 (reconnaissance)", "target_port_label": "2087 \u00b7 CPANEL WHM", "emulator_service": "cpanel-whm", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via CPANEL WHM \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 42, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "cpanel-whm", "service_label_fr": "CPANEL WHM", "dst_port": 2087, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-cpanel-whm", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffdZ\u001b8\ufffd\ufffd\ufffd\ufffd\ufffd^\u00117U\ufffdIhj^\ufffd\ufffd\u00115\u07c3\u0014\ufffdW<\u000e\u0019\u0000\ufffd \u0018\r\u0001\ufffd\ufffd\u0007b\ufffd\ufffd\ufffd\ufffd\ufffdr\ufffdV#\ufffdY\ufffd\ufffd\ufffd\u0000L&?aI\ufffd\ufffd\"p\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005[\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "port": 2087, "service": "cpanel-whm", "service_label_fr": "CPANEL WHM" }, "attack_vector": "port scan syn \u00b7 via CPANEL WHM:2087 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffd\ufffdZ8\ufffd\ufffd\ufffd\ufffd\ufffd^7U\ufffdIhj^\ufffd\ufffd5\u07c3\ufffdW<\ufffd \r\ufffd\ufffdb\ufffd\ufffd\ufffd\ufffd\ufffdr\ufffdV#\ufffdY\ufffd\ufffd\ufffdL&?aI\ufffd\ufffd\"p\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd[\ufffd", "target_port_label": "2087 \u00b7 CPANEL WHM", "emulator_service": "cpanel-whm", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +14", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "cpanel_whm", "service_banner": "honeypot-cpanel-whm", "service_os": "linux", "dst_port": "2087" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "cpanel_whm_emulated", "cpanel_whm_payload", "net_cpanel_probe", "tls_clienthello" ], "asn_dc_heuristic": true }
18/06/2026 00:07:00 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /terraform.tfstate	Élevée	Moyen · 49
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /terraform.tfstate UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /terraform.tfstate TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /terraform.tfstate Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 49 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /terraform.tfstate HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /terraform.tfstate HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Requête brute (extrait) GET /terraform.tfstate HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "tfstate", "http_ua_hash": "6f5b0a9fc247c6bb758a70fc6a40934213981d54", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "baeffa95e40dcec721558e2c8524eaa2244715f0", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 225, "payload_entropy": 5.368026392653487, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2083, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 49, "tag_count": 3, "anomaly_count": 0, "campaign_key": "d921ec69a9b485a9871a1300aceb6e60a3443aaa", "event_fingerprint": "16889c90e169ffffb31ae573e71dc0df011a3f58", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 49, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "bd33e731a9dc71ed698fb3458da6dbe5", "payload_hash": "5d9e8de85f9f3cfbf1caf1dab5d25da8", "path_pattern_hash": "ebaf0256ce61b0ddbaeff437c8371be6" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 49 }, "payload_preview": "GET \/terraform.tfstate HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "method": "GET", "path": "\/terraform.tfstate", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/terraform.tfstate HTTP\/1.1", "request_sample": "GET \/terraform.tfstate HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/terraform.tfstate HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/terraform.tfstate", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/terraform.tfstate HTTP\/1.1", "request_sample": "GET \/terraform.tfstate HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/terraform.tfstate HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "66da98e4d986f5cdd7ff0a5903cfe7c45c0f370b", "protocol_details": { "http_method": "GET", "http_path": "\/terraform.tfstate", "request_line": "GET \/terraform.tfstate HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/terraform.tfstate HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/terraform.tfstate", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 49\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 49, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 49, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/terraform.tfstate", "request_line": "GET \/terraform.tfstate HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/terraform.tfstate", "evidence_snippet": "GET \/terraform.tfstate HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +14 \u00b7 2 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:07:00 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /terraform.tfstate.backup	Élevée	Moyen · 49
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /terraform.tfstate.backup UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /terraform.tfstate.backup TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /terraform.tfstate.backup Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 49 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /terraform.tfstate.backup HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /terraform.tfstate.backup HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (K Requête brute (extrait) GET /terraform.tfstate.backup HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "backup", "http_ua_hash": "07b3f636f85048d240c220c68060800feecba27d", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "2045b4549caf9eb0850a66a9d5c395e9b74b671c", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 222, "payload_entropy": 5.422162464109884, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2083, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 49, "tag_count": 3, "anomaly_count": 0, "campaign_key": "d921ec69a9b485a9871a1300aceb6e60a3443aaa", "event_fingerprint": "90b89105e509aa19ca2f5358167dfd894bcafb33", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 49, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c1397ca4c438ef7fc95e8a6f78f01a9b", "payload_hash": "6c13a4c3e158931a71c3bea42342b443", "path_pattern_hash": "939d325e377d4b9518ed197b24d27f8c" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 49 }, "payload_preview": "GET \/terraform.tfstate.backup HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (K", "method": "GET", "path": "\/terraform.tfstate.backup", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/terraform.tfstate.backup HTTP\/1.1", "request_sample": "GET \/terraform.tfstate.backup HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/terraform.tfstate.backup HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (K", "evidence": { "method": "GET", "path": "\/terraform.tfstate.backup", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/terraform.tfstate.backup HTTP\/1.1", "request_sample": "GET \/terraform.tfstate.backup HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/terraform.tfstate.backup HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (K", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b9c9b69bcab811ed39f3df14fc796cf38cd33963", "protocol_details": { "http_method": "GET", "http_path": "\/terraform.tfstate.backup", "request_line": "GET \/terraform.tfstate.backup HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/terraform.tfstate.backup HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (K", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/terraform.tfstate.backup", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 49\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 49, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 49, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/terraform.tfstate.backup", "request_line": "GET \/terraform.tfstate.backup HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/terraform.tfstate.backup", "evidence_snippet": "GET \/terraform.tfstate.backup HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (K", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +14 \u00b7 2 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:06:59 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /application.yml	Élevée	Moyen · 49
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /application.yml UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /application.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /application.yml Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 49 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /application.yml HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /application.yml HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, lik Requête brute (extrait) GET /application.yml HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "07b3f636f85048d240c220c68060800feecba27d", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "b5819b2c14e2e66f80448b9cafafa1033e7b1cec", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 213, "payload_entropy": 5.410979575646679, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2083, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 49, "tag_count": 3, "anomaly_count": 0, "campaign_key": "3044deb80ff6625aca4621a90d52ad1f1b7b4b73", "event_fingerprint": "869e0dcd47a23908f002c38421e2a7f0e49d808b", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 49, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c1397ca4c438ef7fc95e8a6f78f01a9b", "payload_hash": "c33f289c87bd161a6dfa64dda3c16198", "path_pattern_hash": "18101755b44cc6d8b270134bcce32edf" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 49 }, "payload_preview": "GET \/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, lik", "method": "GET", "path": "\/application.yml", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/application.yml HTTP\/1.1", "request_sample": "GET \/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, lik", "evidence": { "method": "GET", "path": "\/application.yml", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/application.yml HTTP\/1.1", "request_sample": "GET \/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, lik", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d47e8f6f8908326f7aa255e40b3ec41c1b31f243", "protocol_details": { "http_method": "GET", "http_path": "\/application.yml", "request_line": "GET \/application.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, lik", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/application.yml", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 49\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 49, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 49, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/application.yml", "request_line": "GET \/application.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/application.yml", "evidence_snippet": "GET \/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, lik", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +14 \u00b7 2 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:06:59 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /.kube/config	Élevée	Moyen · 57
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /.kube/config UA Mozilla/5.0 (Linux; Android 14; Pixel 8) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_web_probe Cible HTTP GET /.kube/config TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.kube/config Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 57 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) ET .kube/config Probe /.kube/config Ligne de requête `GET /.kube/config HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 14; Pixel 8) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.kube/config HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Linux; Android 14; Pixel 8) AppleWebKit/537.36 (KHTM Requête brute (extrait) GET /.kube/config HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Linux; Android 14; Pixel 8) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Mobile Safari/537.36 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "kube\/config", "http_ua_hash": "572d0d5c8fdfe1422b8eda4ab577fb9f29b639e1", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "6de07e41ec0c05d5881cf1a65cdbd8753277f973", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 226, "payload_entropy": 5.358595848087819, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2083, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.4, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 57, "tag_count": 4, "anomaly_count": 0, "campaign_key": "341ac2e411800b1811620dc2f6102cfc7d8f5a48", "event_fingerprint": "8fbf23e61e88a52cc8f82aed6581a4b66dd80c2b", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0593", "pat-0203" ], "matched_pattern_names": [ "ET .kube\/config", "Probe \/.kube\/config" ], "pattern_ids": [ "pat-0593", "pat-0203" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 57, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "cc512f8aa6b1eef151c71762d3763fdb", "payload_hash": "d9dfd0203c0a8bd74ef8a988acb930df", "path_pattern_hash": "7ef33d76bc8de32d08d882a9ac8291f3" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 57 }, "payload_preview": "GET \/.kube\/config HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTM", "method": "GET", "path": "\/.kube\/config", "user_agent": "Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.kube\/config HTTP\/1.1", "request_sample": "GET \/.kube\/config HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.kube\/config HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTM", "evidence": { "method": "GET", "path": "\/.kube\/config", "user_agent": "Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.kube\/config HTTP\/1.1", "request_sample": "GET \/.kube\/config HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.kube\/config HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTM", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1281783a6f57b77c866fba8255174ef0ac07665e", "protocol_details": { "http_method": "GET", "http_path": "\/.kube\/config", "request_line": "GET \/.kube\/config HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.kube\/config HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTM", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.kube\/config", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 57, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 57, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/.kube\/config", "request_line": "GET \/.kube\/config HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.kube\/config", "evidence_snippet": "GET \/.kube\/config HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTM", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +14 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:06:58 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /web.config	Élevée	Moyen · 50
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /web.config UA Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko/20… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_sensitive_path net_web_probe Cible HTTP GET /web.config TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /web.config Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 50 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) LFI IIS web.config Ligne de requête `GET /web.config HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko/20100101 Firefox/125.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /web.config HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko/201001 Requête brute (extrait) GET /web.config HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko/20100101 Firefox/125.0 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "config", "http_ua_hash": "abcecdd24d00f76aa87a7f19ce44d01537e01df4", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "fb61e36fe9095535f127e3353d957f1c1310e8e9", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 190, "payload_entropy": 5.241441501082823, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2083, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.4, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 50, "tag_count": 4, "anomaly_count": 0, "campaign_key": "4917e44826278ff599b1bdfd14c03f2da18081de", "event_fingerprint": "ad4a5ea4232ca17290700f0ac3cf3112b7021f45", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0120" ], "matched_pattern_names": [ "LFI IIS web.config" ], "pattern_ids": [ "pat-0120" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 50, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f631915c7d7a8dcb91e1608a166d21b7", "payload_hash": "13606e938f33f818022b1213bc54e281", "path_pattern_hash": "0913647d7e838cdd727ceda37a671f37" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 50 }, "payload_preview": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/201001", "method": "GET", "path": "\/web.config", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/web.config HTTP\/1.1", "request_sample": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/201001", "evidence": { "method": "GET", "path": "\/web.config", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/web.config HTTP\/1.1", "request_sample": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/201001", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "39d1aa8b54b8c3da9748ebcb6d81766afa198f75", "protocol_details": { "http_method": "GET", "http_path": "\/web.config", "request_line": "GET \/web.config HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/201001", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/web.config", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 50, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 50, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/web.config", "request_line": "GET \/web.config HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/web.config", "evidence_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/201001", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +14 \u00b7 2 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:06:58 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /application.properties	Élevée	Moyen · 49
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /application.properties UA Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko/20… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /application.properties TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /application.properties Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 49 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /application.properties HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko/20100101 Firefox/125.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /application.properties HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Requête brute (extrait) GET /application.properties HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko/20100101 Firefox/125.0 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "properties", "http_ua_hash": "abcecdd24d00f76aa87a7f19ce44d01537e01df4", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "e3fd46d86bb2ad69319106117f93875bff130862", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 202, "payload_entropy": 5.190465848477853, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2083, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 49, "tag_count": 3, "anomaly_count": 0, "campaign_key": "d921ec69a9b485a9871a1300aceb6e60a3443aaa", "event_fingerprint": "8c8dc61efed020761b905b3d8bd8a83c1a9aa231", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 49, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f631915c7d7a8dcb91e1608a166d21b7", "payload_hash": "6a730413eafffdf178851437b956fd4e", "path_pattern_hash": "8c4feac6bcb94afde681db33f96763e3" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 49 }, "payload_preview": "GET \/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) ", "method": "GET", "path": "\/application.properties", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/application.properties HTTP\/1.1", "request_sample": "GET \/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0)", "evidence": { "method": "GET", "path": "\/application.properties", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/application.properties HTTP\/1.1", "request_sample": "GET \/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0)", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "458f28f914cce12b5622ce6bc238df91be3f5e3a", "protocol_details": { "http_method": "GET", "http_path": "\/application.properties", "request_line": "GET \/application.properties HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0)", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/application.properties", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 49\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 49, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 49, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/application.properties", "request_line": "GET \/application.properties HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/application.properties", "evidence_snippet": "GET \/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0)", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +14 \u00b7 2 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:06:57 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /proc/self/environ	Élevée	Moyen · 64
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /proc/self/environ UA Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950264:lfi-1 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /proc/self/environ TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /proc/self/environ Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 64 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 930140 proc self LFI path /proc/self/environ Ligne de requête `GET /proc/self/environ HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0 Règles WAF lfi-1 rce-0 nosqli-3 Payload (extrait) GET /proc/self/environ HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20 Requête brute (extrait) GET /proc/self/environ HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": null, "http_ua_hash": "1e87ffea5654101b4de6efaf2d6659424d4315d1", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "147ddb4907cb3b80b049d5af3a19704c5e4646c7", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 194, "payload_entropy": 5.193521935824068, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2083, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 6, "anomaly_count": 0, "campaign_key": "32a93d0eacda7dd7df412363d494ad173286588f", "event_fingerprint": "45490877643f7c51965c887674e46820a1a355e2", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0714", "pat-0140" ], "matched_pattern_names": [ "CRS 930140 proc self", "LFI path \/proc\/self\/environ" ], "pattern_ids": [ "pat-0714", "pat-0140" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ad82fd5622889299602e148bf3c011b2", "payload_hash": "3a1cab817f180f1375cc4de69ef579ce", "path_pattern_hash": "915db09685f7a87f293e0b20df27c822" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/proc\/self\/environ HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20", "method": "GET", "path": "\/proc\/self\/environ", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950264:lfi-1", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-1", "rce-0", "nosqli-3" ], "request_line": "GET \/proc\/self\/environ HTTP\/1.1", "request_sample": "GET \/proc\/self\/environ HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/proc\/self\/environ HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20", "evidence": { "method": "GET", "path": "\/proc\/self\/environ", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950264:lfi-1", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-1", "rce-0", "nosqli-3" ], "request_line": "GET \/proc\/self\/environ HTTP\/1.1", "request_sample": "GET \/proc\/self\/environ HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/proc\/self\/environ HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "93c93588b3b378a4a7eaa7eb2f406f42cc167b3b", "protocol_details": { "http_method": "GET", "http_path": "\/proc\/self\/environ", "request_line": "GET \/proc\/self\/environ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/proc\/self\/environ HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/proc\/self\/environ", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/proc\/self\/environ", "request_line": "GET \/proc\/self\/environ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/proc\/self\/environ", "evidence_snippet": "GET \/proc\/self\/environ HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +14 \u00b7 4 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950264:lfi-1", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:06:57 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /appsettings.json	Élevée	Moyen · 49
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /appsettings.json UA Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko/20… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /appsettings.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /appsettings.json Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 49 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Cred ASP.NET settings Ligne de requête `GET /appsettings.json HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko/20100101 Firefox/125.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /appsettings.json HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko/ Requête brute (extrait) GET /appsettings.json HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko/20100101 Firefox/125.0 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "abcecdd24d00f76aa87a7f19ce44d01537e01df4", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "1bb70c4d477e16ecbd1bc700e3f66fae61eb4898", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 196, "payload_entropy": 5.217025490809245, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2083, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 49, "tag_count": 3, "anomaly_count": 0, "campaign_key": "3044deb80ff6625aca4621a90d52ad1f1b7b4b73", "event_fingerprint": "ffd22a127f03e89d505ab785c0df6115a9b341b7", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0466" ], "matched_pattern_names": [ "Cred ASP.NET settings" ], "pattern_ids": [ "pat-0466" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 49, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f631915c7d7a8dcb91e1608a166d21b7", "payload_hash": "b99481aefcab363791b3bbf5c884b516", "path_pattern_hash": "8a0b1852fc2be645a82e96b3e5fdd755" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 49 }, "payload_preview": "GET \/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/", "method": "GET", "path": "\/appsettings.json", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/appsettings.json HTTP\/1.1", "request_sample": "GET \/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/", "evidence": { "method": "GET", "path": "\/appsettings.json", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/appsettings.json HTTP\/1.1", "request_sample": "GET \/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "10a8ddfd85e00387ec75245ccefa724cb1e4d36f", "protocol_details": { "http_method": "GET", "http_path": "\/appsettings.json", "request_line": "GET \/appsettings.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/appsettings.json", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 49\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 49, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 49, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/appsettings.json", "request_line": "GET \/appsettings.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/appsettings.json", "evidence_snippet": "GET \/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +14 \u00b7 2 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:06:56 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /.npmrc	Élevée	Moyen · 49
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /.npmrc UA Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/537.… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /.npmrc TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.npmrc Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 49 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Cred NPM credentials Ligne de requête `GET /.npmrc HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.npmrc HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/537.36 (KHTM Requête brute (extrait) GET /.npmrc HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "npmrc", "http_ua_hash": "040a89826d3eb8f60f68abe05208a91b116b5286", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "e47e720fc12387d6362d15cf56ef7f004f4a216f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 219, "payload_entropy": 5.377881273931351, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2083, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 49, "tag_count": 3, "anomaly_count": 0, "campaign_key": "d921ec69a9b485a9871a1300aceb6e60a3443aaa", "event_fingerprint": "e2cadab59eb2e929e9aad1ad4858bf5efe71a67f", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0481" ], "matched_pattern_names": [ "Cred NPM credentials" ], "pattern_ids": [ "pat-0481" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 49, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b24c868eb88f09716d34b010b594ad74", "payload_hash": "584852b2461ed0fd9f7bbc3d2ddc62d7", "path_pattern_hash": "7643d037b83b1eb932659ed1ccb7e4fe" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 49 }, "payload_preview": "GET \/.npmrc HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTM", "method": "GET", "path": "\/.npmrc", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.npmrc HTTP\/1.1", "request_sample": "GET \/.npmrc HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.npmrc HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTM", "evidence": { "method": "GET", "path": "\/.npmrc", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.npmrc HTTP\/1.1", "request_sample": "GET \/.npmrc HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.npmrc HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTM", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "82403c57ae21350efba0958d1f845a69e4865f5e", "protocol_details": { "http_method": "GET", "http_path": "\/.npmrc", "request_line": "GET \/.npmrc HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.npmrc HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTM", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.npmrc", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 49\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 49, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 49, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/.npmrc", "request_line": "GET \/.npmrc HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.npmrc", "evidence_snippet": "GET \/.npmrc HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTM", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +14 \u00b7 2 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:06:56 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /.netrc	Élevée	Moyen · 49
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /.netrc UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /.netrc TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.netrc Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 49 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Cred Netrc credentials Ligne de requête `GET /.netrc HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.netrc HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Requête brute (extrait) GET /.netrc HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "netrc", "http_ua_hash": "07b3f636f85048d240c220c68060800feecba27d", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "b7551dc22135c68ecee0a4d011ec4c0b7c771e06", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 204, "payload_entropy": 5.393606219761132, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2083, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 49, "tag_count": 3, "anomaly_count": 0, "campaign_key": "d921ec69a9b485a9871a1300aceb6e60a3443aaa", "event_fingerprint": "21ddbb8ee8ec04609b6bcc682aa3f8f9db68289f", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0482" ], "matched_pattern_names": [ "Cred Netrc credentials" ], "pattern_ids": [ "pat-0482" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 49, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c1397ca4c438ef7fc95e8a6f78f01a9b", "payload_hash": "36468f9dac2a504a68630cf99030d43b", "path_pattern_hash": "5fa317981ba713f7d39164540951d6bb" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 49 }, "payload_preview": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) ", "method": "GET", "path": "\/.netrc", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.netrc HTTP\/1.1", "request_sample": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko)", "evidence": { "method": "GET", "path": "\/.netrc", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.netrc HTTP\/1.1", "request_sample": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko)", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8cdb00d2ac70c272aea18e49dc0eeb779f498804", "protocol_details": { "http_method": "GET", "http_path": "\/.netrc", "request_line": "GET \/.netrc HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko)", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.netrc", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 49\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 49, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 49, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/.netrc", "request_line": "GET \/.netrc HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.netrc", "evidence_snippet": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko)", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +14 \u00b7 2 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:06:55 UTC	TCP	2083 · HTTP	http	Sonde fichier credential / clé credential file probe · via HTTP:2083 · (tentative d'exploit) · → /.ssh/id_rsa	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.ssh/id_rsa UA Mozilla/5.0 (Linux; Android 14; Pixel 8) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_id_rsa Cible HTTP GET /.ssh/id_rsa TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.ssh/id_rsa Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier credential/clé · Règle WAF « rce-0 » · Sonde clé SSH / id_rsa · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 63 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-credential-file Http Id Rsa pat-0490 pat-0495 Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred SSH key in .ssh Cred SSH private key id_rsa Ligne de requête `GET /.ssh/id_rsa HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 14; Pixel 8) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.ssh/id_rsa HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Linux; Android 14; Pixel 8) AppleWebKit/537.36 (KHTML Requête brute (extrait) GET /.ssh/id_rsa HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Linux; Android 14; Pixel 8) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Mobile Safari/537.36 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "ssh\/id_rsa", "http_ua_hash": "572d0d5c8fdfe1422b8eda4ab577fb9f29b639e1", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "d951dfd854ab99392c126a2628ec52b85415a678", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 225, "payload_entropy": 5.378999050498273, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2083, "risk_waf": 84, "risk_classification": 82, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 63, "tag_count": 6, "anomaly_count": 0, "campaign_key": "c6a831a73cbd7b8fa87e3e1d685925c08d790046", "event_fingerprint": "fe63d1e92fbf41cd1d9e85871eddbdedc277cb3f", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde cl\u00e9 SSH \/ id_rsa \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 393, "precision_signals": [ "SIGMA-web-credential-file", "INT-http_id_rsa", "pat-0490", "pat-0495", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-credential-file", "INT-http_id_rsa", "pat-0490", "pat-0495", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0490", "pat-0495" ], "matched_pattern_names": [ "Cred SSH key in .ssh", "Cred SSH private key id_rsa" ], "pattern_ids": [ "pat-0490", "pat-0495" ], "confidence_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 14 }, "named_classification_skipped": false, "classification_parent": "lfi_attack", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "cc512f8aa6b1eef151c71762d3763fdb", "payload_hash": "5b0ae7b892479bbf039f6a5716a59821", "path_pattern_hash": "6eca2c923ad05fff3eba197c659999e2" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML", "method": "GET", "path": "\/.ssh\/id_rsa", "user_agent": "Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.ssh\/id_rsa HTTP\/1.1", "request_sample": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML", "evidence": { "method": "GET", "path": "\/.ssh\/id_rsa", "user_agent": "Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.ssh\/id_rsa HTTP\/1.1", "request_sample": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde cl\u00e9 SSH \/ id_rsa \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "630a88f2626b968f300d17b78bac23b00600dbbd", "protocol_details": { "http_method": "GET", "http_path": "\/.ssh\/id_rsa", "request_line": "GET \/.ssh\/id_rsa HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML", "attack_vector": "credential file probe \u00b7 via HTTP:2083 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.ssh\/id_rsa", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde cl\u00e9 SSH \/ id_rsa \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde cl\u00e9 SSH \/ id_rsa \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 14 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-credential-file", "INT-http_id_rsa", "pat-0490", "pat-0495" ], "tags_summary_labels_fr": [ "SIGMA-web-credential-file", "Http Id Rsa", "pat-0490", "pat-0495" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/.ssh\/id_rsa", "request_line": "GET \/.ssh\/id_rsa HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "credential file probe \u00b7 via HTTP:2083 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.ssh\/id_rsa", "evidence_snippet": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +14 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_id_rsa", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:06:55 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /.ssh/id_ed25519	Élevée	Moyen · 64
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /.ssh/id_ed25519 UA Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/… Émulateur HTTP WAF 25 Recommandation Investiguer Tags 950326:rce-0 950406:ssrf-3 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /.ssh/id_ed25519 TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.ssh/id_ed25519 Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 64 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Cred SSH private key ed25519 LFI Double-dot bypass Ligne de requête `GET /.ssh/id_ed25519 HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Règles WAF rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /.ssh/id_ed25519 HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com Requête brute (extrait) GET /.ssh/id_ed25519 HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "ssh\/id_ed25519", "http_ua_hash": "59c3d4f2509c82627f0eeb8e0e13ae1254eb4065", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "306d98c7b24d1b2bfbec725833a0037a5418aa2d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 184, "payload_entropy": 5.1645638432479695, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2083, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 6, "anomaly_count": 0, "campaign_key": "abd5798682018609548db9cc45a4dbe22e3f1c75", "event_fingerprint": "f62f109587312167b38dc07e61c7b55747cdbcbb", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0492", "pat-0103" ], "matched_pattern_names": [ "Cred SSH private key ed25519", "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0492", "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "043937ea8abaea325dbde1020b1bdd9f", "payload_hash": "4b3fb1730bbbf29a997c2cf9057c607f", "path_pattern_hash": "d6c157a7b396f45943e49312666b9456" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/.ssh\/id_ed25519 HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com", "method": "GET", "path": "\/.ssh\/id_ed25519", "user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/.ssh\/id_ed25519 HTTP\/1.1", "request_sample": "GET \/.ssh\/id_ed25519 HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.ssh\/id_ed25519 HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com", "evidence": { "method": "GET", "path": "\/.ssh\/id_ed25519", "user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/.ssh\/id_ed25519 HTTP\/1.1", "request_sample": "GET \/.ssh\/id_ed25519 HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.ssh\/id_ed25519 HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "625c824e62119a066e3b03e344b4d58e2b8687dd", "protocol_details": { "http_method": "GET", "http_path": "\/.ssh\/id_ed25519", "request_line": "GET \/.ssh\/id_ed25519 HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.ssh\/id_ed25519 HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.ssh\/id_ed25519", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/.ssh\/id_ed25519", "request_line": "GET \/.ssh\/id_ed25519 HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.ssh\/id_ed25519", "evidence_snippet": "GET \/.ssh\/id_ed25519 HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +14 \u00b7 4 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:06:54 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /database.sql	Élevée	Moyen · 50
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /database.sql UA Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_backup_file_scan http_backup_path Cible HTTP GET /database.sql TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /database.sql Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 50 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /database.sql HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /database.sql HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/2010010 Requête brute (extrait) GET /database.sql HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "sql", "http_ua_hash": "1e87ffea5654101b4de6efaf2d6659424d4315d1", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "a256b81a49571be3bda096f7ff40f264f6f65ea6", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 189, "payload_entropy": 5.254204936655229, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2083, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 50, "tag_count": 5, "anomaly_count": 0, "campaign_key": "4f39fe0e735d71db4dfe53fa2e68a21c8393c767", "event_fingerprint": "d5ca8f203a6809e63ce4bfc46600ea346b622f81", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 50, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ad82fd5622889299602e148bf3c011b2", "payload_hash": "5da44e08d5cd27b79eb1ad23b3032fa5", "path_pattern_hash": "5a42560e1122aec9e65ed81031f076c0" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 50 }, "payload_preview": "GET \/database.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/2010010", "method": "GET", "path": "\/database.sql", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/database.sql HTTP\/1.1", "request_sample": "GET \/database.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/database.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/2010010", "evidence": { "method": "GET", "path": "\/database.sql", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/database.sql HTTP\/1.1", "request_sample": "GET \/database.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/database.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/2010010", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e1d4504e7fabe56c5f9377d62a7ec2801fd76f5e", "protocol_details": { "http_method": "GET", "http_path": "\/database.sql", "request_line": "GET \/database.sql HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/database.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/2010010", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/database.sql", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 50, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 50, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/database.sql", "request_line": "GET \/database.sql HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/database.sql", "evidence_snippet": "GET \/database.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/2010010", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +14 \u00b7 2 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_backup_file_scan", "http_backup_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:06:54 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /backup/database.sql	Élevée	Moyen · 59
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /backup/database.sql UA Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_backup_file_scan Cible HTTP GET /backup/database.sql TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /backup/database.sql Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 59 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /backup/database.sql HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /backup/database.sql HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/ Requête brute (extrait) GET /backup/database.sql HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "sql", "http_ua_hash": "1e87ffea5654101b4de6efaf2d6659424d4315d1", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "a3946b3816af570287497b31097388dc39031cc4", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 196, "payload_entropy": 5.295192205816686, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2083, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 59, "tag_count": 7, "anomaly_count": 0, "campaign_key": "fcc198c79c6902b681bf975b9a34984a67ef49ef", "event_fingerprint": "e18178da2a7e814c10c738d8148a10c2becc1549", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 59, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ad82fd5622889299602e148bf3c011b2", "payload_hash": "746dbd68c12ff1fc6b3fc9bb3679979a", "path_pattern_hash": "e917b694421874317608b74124d16ed9" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 59 }, "payload_preview": "GET \/backup\/database.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/", "method": "GET", "path": "\/backup\/database.sql", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/backup\/database.sql HTTP\/1.1", "request_sample": "GET \/backup\/database.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/backup\/database.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/", "evidence": { "method": "GET", "path": "\/backup\/database.sql", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/backup\/database.sql HTTP\/1.1", "request_sample": "GET \/backup\/database.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/backup\/database.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a495119ea84516f93276b74a60d5a341deaed77a", "protocol_details": { "http_method": "GET", "http_path": "\/backup\/database.sql", "request_line": "GET \/backup\/database.sql HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/backup\/database.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/backup\/database.sql", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 59, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 59, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/backup\/database.sql", "request_line": "GET \/backup\/database.sql HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/backup\/database.sql", "evidence_snippet": "GET \/backup\/database.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +14 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_backup_file_scan", "http_backup_path", "http_probe_backup", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:06:54 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /data/dump.sql	Élevée	Moyen · 64
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /data/dump.sql UA Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/… Émulateur HTTP WAF 25 Recommandation Investiguer Tags 950326:rce-0 950406:ssrf-3 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /data/dump.sql TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /data/dump.sql Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 64 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) LFI Double-dot bypass LFI SQL dump file Ligne de requête `GET /data/dump.sql HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Règles WAF rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /data/dump.sql HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/b Requête brute (extrait) GET /data/dump.sql HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "sql", "http_ua_hash": "59c3d4f2509c82627f0eeb8e0e13ae1254eb4065", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "c453a27aa17082becb43aa6326b93f0b767d30f2", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 182, "payload_entropy": 5.151700268683715, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2083, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 7, "anomaly_count": 0, "campaign_key": "bc41fb3579fe21e2cdf4af6568d7ec6f642cb900", "event_fingerprint": "0fb053993926a6b8a45ee9550454cf43dec1bc64", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0103", "pat-0132" ], "matched_pattern_names": [ "LFI Double-dot bypass", "LFI SQL dump file" ], "pattern_ids": [ "pat-0103", "pat-0132" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "043937ea8abaea325dbde1020b1bdd9f", "payload_hash": "1ce99dbfdce5dafab09491f511968efa", "path_pattern_hash": "a0cab5aab5a59924fac704ee0e8419a1" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/data\/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/b", "method": "GET", "path": "\/data\/dump.sql", "user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/data\/dump.sql HTTP\/1.1", "request_sample": "GET \/data\/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/data\/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/b", "evidence": { "method": "GET", "path": "\/data\/dump.sql", "user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/data\/dump.sql HTTP\/1.1", "request_sample": "GET \/data\/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/data\/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/b", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3a037a641ad53c331fe47ea7c77b88db07696b7a", "protocol_details": { "http_method": "GET", "http_path": "\/data\/dump.sql", "request_line": "GET \/data\/dump.sql HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/data\/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/b", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/data\/dump.sql", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/data\/dump.sql", "request_line": "GET \/data\/dump.sql HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/data\/dump.sql", "evidence_snippet": "GET \/data\/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/b", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +14 \u00b7 4 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3", "http_backup_file_scan", "http_backup_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:06:53 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /backup.sql	Élevée	Moyen · 50
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /backup.sql UA Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko/20… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_backup_file_scan http_backup_path Cible HTTP GET /backup.sql TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /backup.sql Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 50 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) LFI SQL backup dump Ligne de requête `GET /backup.sql HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko/20100101 Firefox/125.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /backup.sql HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko/201001 Requête brute (extrait) GET /backup.sql HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko/20100101 Firefox/125.0 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "sql", "http_ua_hash": "abcecdd24d00f76aa87a7f19ce44d01537e01df4", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "0778e66dc91685120fa0e5222b9737c65f736401", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 190, "payload_entropy": 5.283105432455948, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2083, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 50, "tag_count": 5, "anomaly_count": 0, "campaign_key": "4f39fe0e735d71db4dfe53fa2e68a21c8393c767", "event_fingerprint": "928e8e2c77e355c96784ba6a350a811737a267f5", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0131" ], "matched_pattern_names": [ "LFI SQL backup dump" ], "pattern_ids": [ "pat-0131" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 50, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f631915c7d7a8dcb91e1608a166d21b7", "payload_hash": "11c1511fe8968bbe40fd5234d718a4ef", "path_pattern_hash": "2456a7a22b603c556554665c5d0203f5" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 50 }, "payload_preview": "GET \/backup.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/201001", "method": "GET", "path": "\/backup.sql", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/backup.sql HTTP\/1.1", "request_sample": "GET \/backup.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/backup.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/201001", "evidence": { "method": "GET", "path": "\/backup.sql", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/backup.sql HTTP\/1.1", "request_sample": "GET \/backup.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/backup.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/201001", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5ac47d9676969aa013fbad3998c5fe125e388779", "protocol_details": { "http_method": "GET", "http_path": "\/backup.sql", "request_line": "GET \/backup.sql HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/backup.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/201001", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/backup.sql", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 50, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 50, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/backup.sql", "request_line": "GET \/backup.sql HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/backup.sql", "evidence_snippet": "GET \/backup.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/201001", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +14 \u00b7 2 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_backup_file_scan", "http_backup_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:06:53 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /dump.sql	Élevée	Moyen · 50
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /dump.sql UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_backup_file_scan http_backup_path Cible HTTP GET /dump.sql TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /dump.sql Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 50 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) LFI SQL dump file Ligne de requête `GET /dump.sql HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /dump.sql HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /dump.sql HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "sql", "http_ua_hash": "6f5b0a9fc247c6bb758a70fc6a40934213981d54", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "1fc830e90e8ffa94d6b83234ae2ec2ba7b5108ba", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 216, "payload_entropy": 5.40866039719832, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2083, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 50, "tag_count": 5, "anomaly_count": 0, "campaign_key": "4f39fe0e735d71db4dfe53fa2e68a21c8393c767", "event_fingerprint": "0ed0b26da15299b07bc2ca3b97b42a86e9c662be", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0132" ], "matched_pattern_names": [ "LFI SQL dump file" ], "pattern_ids": [ "pat-0132" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 50, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "bd33e731a9dc71ed698fb3458da6dbe5", "payload_hash": "c34b212ad435b0866dce26e9a668a02f", "path_pattern_hash": "2debf0ced7dd0a1204edf7447a578b8e" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 50 }, "payload_preview": "GET \/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, ", "method": "GET", "path": "\/dump.sql", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/dump.sql HTTP\/1.1", "request_sample": "GET \/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/dump.sql", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/dump.sql HTTP\/1.1", "request_sample": "GET \/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5062ebfe0c309c949958c2571b9a23d95e0b7393", "protocol_details": { "http_method": "GET", "http_path": "\/dump.sql", "request_line": "GET \/dump.sql HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML,", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/dump.sql", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 50, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 50, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/dump.sql", "request_line": "GET \/dump.sql HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/dump.sql", "evidence_snippet": "GET \/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML,", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +14 \u00b7 2 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_backup_file_scan", "http_backup_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:06:52 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /app/config/parameters.yml	Élevée	Moyen · 57
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /app/config/parameters.yml UA Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko/20… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_web_probe Cible HTTP GET /app/config/parameters.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /app/config/parameters.yml Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 57 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /app/config/parameters.yml HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko/20100101 Firefox/125.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /app/config/parameters.yml HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125. Requête brute (extrait) GET /app/config/parameters.yml HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko/20100101 Firefox/125.0 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "yml", "http_ua_hash": "abcecdd24d00f76aa87a7f19ce44d01537e01df4", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "cc8382c07ae1d99dcd8bb8a9e6a6c1ada2d7d586", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 205, "payload_entropy": 5.261378871989216, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2083, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.4, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 57, "tag_count": 4, "anomaly_count": 0, "campaign_key": "341ac2e411800b1811620dc2f6102cfc7d8f5a48", "event_fingerprint": "47b544297984ae8adadfc92fe78d3bf601968970", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 57, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f631915c7d7a8dcb91e1608a166d21b7", "payload_hash": "a70532b37d68063fca1c7e1b5fb1cba5", "path_pattern_hash": "14e465936c1b9cf9455ba711f44752e2" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 57 }, "payload_preview": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.", "method": "GET", "path": "\/app\/config\/parameters.yml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app\/config\/parameters.yml HTTP\/1.1", "request_sample": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.", "evidence": { "method": "GET", "path": "\/app\/config\/parameters.yml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app\/config\/parameters.yml HTTP\/1.1", "request_sample": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "25a38c707d98be086fbb4302136b9947b673ebdb", "protocol_details": { "http_method": "GET", "http_path": "\/app\/config\/parameters.yml", "request_line": "GET \/app\/config\/parameters.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/app\/config\/parameters.yml", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 57, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 57, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/app\/config\/parameters.yml", "request_line": "GET \/app\/config\/parameters.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/app\/config\/parameters.yml", "evidence_snippet": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +14 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:06:52 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /.htpasswd	Élevée	Moyen · 61
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /.htpasswd UA Mozilla/5.0 (Linux; Android 14; Pixel 8) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950522:leak-9 http_sensitive_path Cible HTTP GET /.htpasswd TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.htpasswd Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 61 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Cred Apache htpasswd LFI Apache htpasswd Ligne de requête `GET /.htpasswd HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 14; Pixel 8) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-9 Payload (extrait) GET /.htpasswd HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Linux; Android 14; Pixel 8) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /.htpasswd HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Linux; Android 14; Pixel 8) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Mobile Safari/537.36 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "htpasswd", "http_ua_hash": "572d0d5c8fdfe1422b8eda4ab577fb9f29b639e1", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "ade2de8d21551efb00f221b43821b4acb26b6f79", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 223, "payload_entropy": 5.385122007507736, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2083, "risk_waf": 92, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 92, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 61, "tag_count": 5, "anomaly_count": 0, "campaign_key": "6eae0609b2e7c6f10ea48478a1b6942f19922cd7", "event_fingerprint": "76f8bf04b2521e15f7276e1a7fee8973bedcabd4", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0469", "pat-0108" ], "matched_pattern_names": [ "Cred Apache htpasswd", "LFI Apache htpasswd" ], "pattern_ids": [ "pat-0469", "pat-0108" ], "confidence_breakdown": { "waf": 92, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 61, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "cc512f8aa6b1eef151c71762d3763fdb", "payload_hash": "2afb128e64ac4924b8cb4f2787e385e9", "path_pattern_hash": "229c0a4c773f5f9eeec1d298c58088ee" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 61 }, "payload_preview": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, ", "method": "GET", "path": "\/.htpasswd", "user_agent": "Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950522:leak-9" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-9" ], "request_line": "GET \/.htpasswd HTTP\/1.1", "request_sample": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/.htpasswd", "user_agent": "Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950522:leak-9" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-9" ], "request_line": "GET \/.htpasswd HTTP\/1.1", "request_sample": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "dad9e4e0e60d4584f42aab005199ac494bb26087", "protocol_details": { "http_method": "GET", "http_path": "\/.htpasswd", "request_line": "GET \/.htpasswd HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML,", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.htpasswd", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 61, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 61, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/.htpasswd", "request_line": "GET \/.htpasswd HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.htpasswd", "evidence_snippet": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML,", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +14 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950522:leak-9", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:06:50 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /includes/config.php	Élevée	Moyen · 58
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /includes/config.php UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_sensitive_path Cible HTTP GET /includes/config.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /includes/config.php Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 58 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) LFI Generic config.php Ligne de requête `GET /includes/config.php HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /includes/config.php HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /includes/config.php HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "07b3f636f85048d240c220c68060800feecba27d", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "38a8cbd588ed9ce06370fbc4d33a68e72d646fef", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 217, "payload_entropy": 5.409467617681409, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2083, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 58, "tag_count": 5, "anomaly_count": 0, "campaign_key": "694e606afa687e9647330b201a3dda470eed629e", "event_fingerprint": "334f66406f0e269e3d7e2c13df0f291b40eb1925", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0118" ], "matched_pattern_names": [ "LFI Generic config.php" ], "pattern_ids": [ "pat-0118" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 58, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c1397ca4c438ef7fc95e8a6f78f01a9b", "payload_hash": "fb1cf374f9ffef13c9fa171286dfd5a5", "path_pattern_hash": "547c4c5ee35589007f3905ba2ace0f66" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 58 }, "payload_preview": "GET \/includes\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "method": "GET", "path": "\/includes\/config.php", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/includes\/config.php HTTP\/1.1", "request_sample": "GET \/includes\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/includes\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/includes\/config.php", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/includes\/config.php HTTP\/1.1", "request_sample": "GET \/includes\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/includes\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "05d9e205b20ba6b307f5ebd67b19b9e10564cf9b", "protocol_details": { "http_method": "GET", "http_path": "\/includes\/config.php", "request_line": "GET \/includes\/config.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/includes\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/includes\/config.php", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 58, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 58, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/includes\/config.php", "request_line": "GET \/includes\/config.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/includes\/config.php", "evidence_snippet": "GET \/includes\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +14 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:06:49 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /config.php	Élevée	Moyen · 50
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /config.php UA Mozilla/5.0 (X11; Linux x86_64; rv:125.0) Gecko/20100101 Firefo… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_probe_config http_sensitive_path Cible HTTP GET /config.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /config.php Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 50 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) LFI Generic config.php Ligne de requête `GET /config.php HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config.php HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/12 Requête brute (extrait) GET /config.php HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "php", "http_ua_hash": "80ed50a47ad6386e110103b40770259a62aae049", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "b7e629c2fbd3802ae94e18b330925fd1c8118dc3", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 177, "payload_entropy": 5.253820751294066, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2083, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 50, "tag_count": 5, "anomaly_count": 0, "campaign_key": "8423d915593c03d5623d2deecc22a95844a24644", "event_fingerprint": "16f404d8f5884e9ddec88561277b8fa0f77e4729", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0118" ], "matched_pattern_names": [ "LFI Generic config.php" ], "pattern_ids": [ "pat-0118" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 50, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "860da5fd69b9a4398718dec0e118bfe0", "payload_hash": "eeddf13667220fdcd2d140cdb8b5af1d", "path_pattern_hash": "92fece0ebcf69fadf688bf735b18a081" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 50 }, "payload_preview": "GET \/config.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/12", "method": "GET", "path": "\/config.php", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config.php HTTP\/1.1", "request_sample": "GET \/config.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/config.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/12", "evidence": { "method": "GET", "path": "\/config.php", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config.php HTTP\/1.1", "request_sample": "GET \/config.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/config.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/12", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "eec37c4327cec8b03fe6f81746ef8dfd8db500c2", "protocol_details": { "http_method": "GET", "http_path": "\/config.php", "request_line": "GET \/config.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/12", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/config.php", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 50, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 50, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/config.php", "request_line": "GET \/config.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/config.php", "evidence_snippet": "GET \/config.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/12", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +14 \u00b7 2 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_probe_config", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:06:48 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /info.php	Élevée	Moyen · 49
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /info.php UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /info.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /info.php Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 49 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /info.php HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /info.php HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /info.php HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "php", "http_ua_hash": "9315af92496b848eed5ed988a938df67ee36a260", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "068dbe886744caa8c17ff08053d93aa8001f5bdd", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 230, "payload_entropy": 5.347509335908824, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2083, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 49, "tag_count": 3, "anomaly_count": 0, "campaign_key": "d921ec69a9b485a9871a1300aceb6e60a3443aaa", "event_fingerprint": "5b88839a5c7811ca4eb27ad86344b70980bc607d", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 49, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "40b58db0069d1a73ee9d23fa54874615", "payload_hash": "2ef66ddc2a3e6a7453e0aa630f1a9edc", "path_pattern_hash": "f698c64f9b430a098de679bb708946c6" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 49 }, "payload_preview": "GET \/info.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, ", "method": "GET", "path": "\/info.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36 Edg\/124.0.0.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/info.php HTTP\/1.1", "request_sample": "GET \/info.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36 Edg\/124.0.0.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/info.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/info.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36 Edg\/124.0.0.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/info.php HTTP\/1.1", "request_sample": "GET \/info.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36 Edg\/124.0.0.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/info.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6b5f996dc53e6ea516a53eefdb565ca2cc20cf5b", "protocol_details": { "http_method": "GET", "http_path": "\/info.php", "request_line": "GET \/info.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36 Edg\/124\u2026", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/info.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML,", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/info.php", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 49\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 49, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 49, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/info.php", "request_line": "GET \/info.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36 Edg\/124\u2026", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/info.php", "evidence_snippet": "GET \/info.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML,", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +14 \u00b7 2 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:06:48 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /actuator/env	Élevée	Élevé · 65
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /actuator/env UA Mozilla/5.0 (X11; Linux x86_64; rv:125.0) Gecko/20100101 Firefo… Émulateur HTTP WAF 26 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950612:spring-actuator Cible HTTP GET /actuator/env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /actuator/env Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) ET actuator env Probe /actuator Probe /actuator/env Ligne de requête `GET /actuator/env HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0 Règles WAF rce-0 nosqli-3 spring-actuator Payload (extrait) GET /actuator/env HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/ Requête brute (extrait) GET /actuator/env HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "80ed50a47ad6386e110103b40770259a62aae049", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "e32661bb9cbe8cb5f3660b341b6704d87fd4cb7c", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 179, "payload_entropy": 5.24994428580087, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2083, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 9, "anomaly_count": 0, "campaign_key": "2661bc24bf1e06ac31c8ed749371be9b12b43991", "event_fingerprint": "1d83fd69c4b1d99a2b4f27645196d4fb4ff65ca9", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0751", "pat-0232", "pat-0233" ], "matched_pattern_names": [ "ET actuator env", "Probe \/actuator", "Probe \/actuator\/env" ], "pattern_ids": [ "pat-0751", "pat-0232", "pat-0233" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "860da5fd69b9a4398718dec0e118bfe0", "payload_hash": "803b106aa0d1c5c60a1f8478efe0175c", "path_pattern_hash": "52616ac7327902d5e53f2c0d3ea46564" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/actuator\/env HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/", "method": "GET", "path": "\/actuator\/env", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950612:spring-actuator" ], "waf_rule_names": [ "rce-0", "nosqli-3", "spring-actuator" ], "request_line": "GET \/actuator\/env HTTP\/1.1", "request_sample": "GET \/actuator\/env HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/actuator\/env HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/", "evidence": { "method": "GET", "path": "\/actuator\/env", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950612:spring-actuator" ], "waf_rule_names": [ "rce-0", "nosqli-3", "spring-actuator" ], "request_line": "GET \/actuator\/env HTTP\/1.1", "request_sample": "GET \/actuator\/env HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/actuator\/env HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4ffb51dac365c0309170b487cbdf31329bfa2fdc", "protocol_details": { "http_method": "GET", "http_path": "\/actuator\/env", "request_line": "GET \/actuator\/env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/actuator\/env HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/actuator\/env", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/actuator\/env", "request_line": "GET \/actuator\/env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/actuator\/env", "evidence_snippet": "GET \/actuator\/env HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +14 \u00b7 4 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950612:spring-actuator", "http_actuator_probe", "http_actuator_spring_probe", "http_probe_actuator", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:06:48 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /actuator/logfile	Élevée	Moyen · 59
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /actuator/logfile UA Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/537.… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_actuator Cible HTTP GET /actuator/logfile TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /actuator/logfile Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 59 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Probe /actuator Ligne de requête `GET /actuator/logfile HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /actuator/logfile HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/53 Requête brute (extrait) GET /actuator/logfile HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "040a89826d3eb8f60f68abe05208a91b116b5286", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "ca81dadbf99a3c62e140bf99ad6d41a1dcd8a3c8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 229, "payload_entropy": 5.377346948756683, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2083, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 59, "tag_count": 6, "anomaly_count": 0, "campaign_key": "7a5e0e6659da4cad1b3a497bb7e580306379cbe3", "event_fingerprint": "92e30f7aaa539737a00c080c0be258ab1020d84e", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0232" ], "matched_pattern_names": [ "Probe \/actuator" ], "pattern_ids": [ "pat-0232" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 59, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b24c868eb88f09716d34b010b594ad74", "payload_hash": "16e5e5ffc7d72347429981d8ec8f5a18", "path_pattern_hash": "a5db5df5e4c3194fc1ea58968235ef2d" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 59 }, "payload_preview": "GET \/actuator\/logfile HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/53", "method": "GET", "path": "\/actuator\/logfile", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/actuator\/logfile HTTP\/1.1", "request_sample": "GET \/actuator\/logfile HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/actuator\/logfile HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/53", "evidence": { "method": "GET", "path": "\/actuator\/logfile", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/actuator\/logfile HTTP\/1.1", "request_sample": "GET \/actuator\/logfile HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/actuator\/logfile HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/53", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5dabdfd2645eef00556a52be6ed5b45f553d5ad6", "protocol_details": { "http_method": "GET", "http_path": "\/actuator\/logfile", "request_line": "GET \/actuator\/logfile HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/actuator\/logfile HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/53", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/actuator\/logfile", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 59, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 59, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/actuator\/logfile", "request_line": "GET \/actuator\/logfile HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/actuator\/logfile", "evidence_snippet": "GET \/actuator\/logfile HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/53", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +14 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_actuator", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:06:47 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /config/database.yml	Élevée	Moyen · 58
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /config/database.yml UA Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/537.… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/database.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /config/database.yml Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 58 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Cred Database YAML Cred Rails database credentials LFI Rails database.yml Ligne de requête `GET /config/database.yml HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/database.yml HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit Requête brute (extrait) GET /config/database.yml HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "yml", "http_ua_hash": "040a89826d3eb8f60f68abe05208a91b116b5286", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "324166cb65153559217bf0708f5a6254e46c2733", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 232, "payload_entropy": 5.400525201224462, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2083, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 58, "tag_count": 5, "anomaly_count": 0, "campaign_key": "212b571cbbdcf547a50ac9b4dd44b89471f302b2", "event_fingerprint": "e2a6703de887bae97eba3ce9ebc927f5db678b8c", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0474", "pat-0487", "pat-0130" ], "matched_pattern_names": [ "Cred Database YAML", "Cred Rails database credentials", "LFI Rails database.yml" ], "pattern_ids": [ "pat-0474", "pat-0487", "pat-0130" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 58, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b24c868eb88f09716d34b010b594ad74", "payload_hash": "70c96346ebad7f311d9983ec58fb68fb", "path_pattern_hash": "8e18067a263c70f5df57381290358eb6" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 58 }, "payload_preview": "GET \/config\/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit", "method": "GET", "path": "\/config\/database.yml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/database.yml HTTP\/1.1", "request_sample": "GET \/config\/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/config\/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit", "evidence": { "method": "GET", "path": "\/config\/database.yml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/database.yml HTTP\/1.1", "request_sample": "GET \/config\/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/config\/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c830e6848e8e69cbcb480c8622cf686d42994223", "protocol_details": { "http_method": "GET", "http_path": "\/config\/database.yml", "request_line": "GET \/config\/database.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/config\/database.yml", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 58, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 58, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/config\/database.yml", "request_line": "GET \/config\/database.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/config\/database.yml", "evidence_snippet": "GET \/config\/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +14 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:06:47 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /phpinfo.php	Élevée	Moyen · 59
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /phpinfo.php UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950614:phpinfo http_probe_phpinfo Cible HTTP GET /phpinfo.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /phpinfo.php Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 59 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /phpinfo.php HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 phpinfo Payload (extrait) GET /phpinfo.php HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 Requête brute (extrait) GET /phpinfo.php HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "php", "http_ua_hash": "54c432bdb9d4b33f9c3ec86efe5638e0b0b4338c", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "1808fe5d8b86eb029606d3db28531c6ec6a82fb5", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 225, "payload_entropy": 5.367074880328933, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2083, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 59, "tag_count": 6, "anomaly_count": 0, "campaign_key": "7121082186cebe591ce2f30affe4295843c70402", "event_fingerprint": "a59ada05a54348c2254482565f9f70c7036e37e4", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 59, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "615fce795c02806e47e19eb87980fcd9", "payload_hash": "a78b82285cdce8b7a70930974798e58a", "path_pattern_hash": "a405682e93a85e32d41b3615cc2d6365" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 59 }, "payload_preview": "GET \/phpinfo.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36", "method": "GET", "path": "\/phpinfo.php", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950614:phpinfo" ], "waf_rule_names": [ "rce-0", "nosqli-3", "phpinfo" ], "request_line": "GET \/phpinfo.php HTTP\/1.1", "request_sample": "GET \/phpinfo.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/phpinfo.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/phpinfo.php", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950614:phpinfo" ], "waf_rule_names": [ "rce-0", "nosqli-3", "phpinfo" ], "request_line": "GET \/phpinfo.php HTTP\/1.1", "request_sample": "GET \/phpinfo.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/phpinfo.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "894ad5f97cdbf975e8a9495e99114aae38403ae1", "protocol_details": { "http_method": "GET", "http_path": "\/phpinfo.php", "request_line": "GET \/phpinfo.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/phpinfo.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/phpinfo.php", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 59, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 59, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/phpinfo.php", "request_line": "GET \/phpinfo.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/phpinfo.php", "evidence_snippet": "GET \/phpinfo.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +14 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950614:phpinfo", "http_probe_phpinfo", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 72 }
18/06/2026 00:06:46 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /.git-credentials	Élevée	Moyen · 49
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /.git-credentials UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /.git-credentials TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.git-credentials Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 49 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Cred Git credentials store Ligne de requête `GET /.git-credentials HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.git-credentials HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, li Requête brute (extrait) GET /.git-credentials HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "git-credentials", "http_ua_hash": "07b3f636f85048d240c220c68060800feecba27d", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "33467536027c202c6eb146b8fd903b0b5c4e3853", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 214, "payload_entropy": 5.397559261826045, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2083, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 49, "tag_count": 3, "anomaly_count": 0, "campaign_key": "d921ec69a9b485a9871a1300aceb6e60a3443aaa", "event_fingerprint": "a9ddb92e80cae5dd2d854121d02ce26c695c44e0", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0478" ], "matched_pattern_names": [ "Cred Git credentials store" ], "pattern_ids": [ "pat-0478" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 49, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c1397ca4c438ef7fc95e8a6f78f01a9b", "payload_hash": "8fdf56bec28685655f8fc6f988bf73ea", "path_pattern_hash": "c2a32b5320241c4bf559b31997cf1f32" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 49 }, "payload_preview": "GET \/.git-credentials HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "method": "GET", "path": "\/.git-credentials", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.git-credentials HTTP\/1.1", "request_sample": "GET \/.git-credentials HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.git-credentials HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "evidence": { "method": "GET", "path": "\/.git-credentials", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.git-credentials HTTP\/1.1", "request_sample": "GET \/.git-credentials HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.git-credentials HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "aae8edc57396ed79dc8e211fba1ebdace30d9d77", "protocol_details": { "http_method": "GET", "http_path": "\/.git-credentials", "request_line": "GET \/.git-credentials HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.git-credentials HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.git-credentials", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 49\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 49, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 49, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/.git-credentials", "request_line": "GET \/.git-credentials HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.git-credentials", "evidence_snippet": "GET \/.git-credentials HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +14 \u00b7 2 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:06:45 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /.aws/credentials	Élevée	Moyen · 57
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /.aws/credentials UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_web_probe Cible HTTP GET /.aws/credentials TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.aws/credentials Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 57 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Cred AWS credentials file Ligne de requête `GET /.aws/credentials HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.aws/credentials HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/5 Requête brute (extrait) GET /.aws/credentials HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "aws\/credentials", "http_ua_hash": "54c432bdb9d4b33f9c3ec86efe5638e0b0b4338c", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "ace4c5fcde31b7bd909f97bc14a4a98472286e7e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 230, "payload_entropy": 5.367972992311273, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2083, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.4, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 57, "tag_count": 4, "anomaly_count": 0, "campaign_key": "b353fdfad30457a6a20045ffa4aaa0582dc73b5c", "event_fingerprint": "2d09db4f3d75571021879d47c530e136d7b1dfe1", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0468" ], "matched_pattern_names": [ "Cred AWS credentials file" ], "pattern_ids": [ "pat-0468" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 57, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "615fce795c02806e47e19eb87980fcd9", "payload_hash": "b2fd9b9c219e55ada1c0c505cbeef532", "path_pattern_hash": "02b5f84eeada8b8c7cddae6a529f493a" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 57 }, "payload_preview": "GET \/.aws\/credentials HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/5", "method": "GET", "path": "\/.aws\/credentials", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.aws\/credentials HTTP\/1.1", "request_sample": "GET \/.aws\/credentials HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.aws\/credentials HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/5", "evidence": { "method": "GET", "path": "\/.aws\/credentials", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.aws\/credentials HTTP\/1.1", "request_sample": "GET \/.aws\/credentials HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.aws\/credentials HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/5", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2ff1d2cde4a00243fa60cd33f7d50629f0fc49e2", "protocol_details": { "http_method": "GET", "http_path": "\/.aws\/credentials", "request_line": "GET \/.aws\/credentials HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.aws\/credentials HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/5", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.aws\/credentials", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 57, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 57, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/.aws\/credentials", "request_line": "GET \/.aws\/credentials HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.aws\/credentials", "evidence_snippet": "GET \/.aws\/credentials HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/5", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +14 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:06:44 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /wp-config.php	Élevée	Moyen · 61
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /wp-config.php UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950518:leak-5 http_backup_file_scan Cible HTTP GET /wp-config.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /wp-config.php Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 61 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Probe /wp-config.php Ligne de requête `GET /wp-config.php HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-5 Payload (extrait) GET /wp-config.php HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KH Requête brute (extrait) GET /wp-config.php HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "php", "http_ua_hash": "6f5b0a9fc247c6bb758a70fc6a40934213981d54", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "614b4fba7293e8b03e4e9dd43da4a4c26e954f4b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 221, "payload_entropy": 5.3778881590258605, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2083, "risk_waf": 92, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 92, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 61, "tag_count": 6, "anomaly_count": 0, "campaign_key": "735dc8b0b6c38a456cca7eb2bbc84c10340c8c3b", "event_fingerprint": "c10f741ba77b7646e14c1df5944605088f7f8208", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0195" ], "matched_pattern_names": [ "Probe \/wp-config.php" ], "pattern_ids": [ "pat-0195" ], "confidence_breakdown": { "waf": 92, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 61, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "bd33e731a9dc71ed698fb3458da6dbe5", "payload_hash": "c3f0620b759221b9d25b04997d15ca50", "path_pattern_hash": "c8d91e6e96b16ee20ca9851d4b7ccb28" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 61 }, "payload_preview": "GET \/wp-config.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KH", "method": "GET", "path": "\/wp-config.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-5" ], "request_line": "GET \/wp-config.php HTTP\/1.1", "request_sample": "GET \/wp-config.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/wp-config.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KH", "evidence": { "method": "GET", "path": "\/wp-config.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-5" ], "request_line": "GET \/wp-config.php HTTP\/1.1", "request_sample": "GET \/wp-config.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/wp-config.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KH", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "019ece58a8f838cae3f63ce1f4ce446fe043e665", "protocol_details": { "http_method": "GET", "http_path": "\/wp-config.php", "request_line": "GET \/wp-config.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/wp-config.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KH", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/wp-config.php", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 61, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 61, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/wp-config.php", "request_line": "GET \/wp-config.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/wp-config.php", "evidence_snippet": "GET \/wp-config.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KH", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +14 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5", "http_backup_file_scan", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:06:44 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /wp-config.php.bak	Élevée	Élevé · 65
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /wp-config.php.bak UA Mozilla/5.0 (X11; Linux x86_64; rv:125.0) Gecko/20100101 Firefo… Émulateur HTTP WAF 29 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950518:leak-5 950521:leak-8 Cible HTTP GET /wp-config.php.bak TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /wp-config.php.bak Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 933111 LFI WordPress config backup Probe /wp-config.php Ligne de requête `GET /wp-config.php.bak HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0 Règles WAF rce-0 nosqli-3 leak-5 leak-8 Payload (extrait) GET /wp-config.php.bak HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:125.0) Gecko/20100101 Fir Requête brute (extrait) GET /wp-config.php.bak HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "bak", "http_ua_hash": "80ed50a47ad6386e110103b40770259a62aae049", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "0372d7102c333673ea0de9e60c73911cb60bfb5f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 184, "payload_entropy": 5.313052377930809, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2083, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 8, "anomaly_count": 0, "campaign_key": "8990629be372e700429ec752bf441811ae0d5f0b", "event_fingerprint": "17ed34391d4cdd071affd6a5d1ae669a0d290860", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0160", "pat-0135", "pat-0195" ], "matched_pattern_names": [ "CRS 933111", "LFI WordPress config backup", "Probe \/wp-config.php" ], "pattern_ids": [ "pat-0160", "pat-0135", "pat-0195" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "860da5fd69b9a4398718dec0e118bfe0", "payload_hash": "e84a2fe98a011b217e7f128d1182b6f5", "path_pattern_hash": "c879a1d8584c2c545f6c6bb7a9f5a061" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/wp-config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Fir", "method": "GET", "path": "\/wp-config.php.bak", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-5", "leak-8" ], "request_line": "GET \/wp-config.php.bak HTTP\/1.1", "request_sample": "GET \/wp-config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/wp-config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Fir", "evidence": { "method": "GET", "path": "\/wp-config.php.bak", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-5", "leak-8" ], "request_line": "GET \/wp-config.php.bak HTTP\/1.1", "request_sample": "GET \/wp-config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/wp-config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Fir", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bd0eec42b7d85b3461fbf50230437d1cf9badc50", "protocol_details": { "http_method": "GET", "http_path": "\/wp-config.php.bak", "request_line": "GET \/wp-config.php.bak HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/wp-config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Fir", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/wp-config.php.bak", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/wp-config.php.bak", "request_line": "GET \/wp-config.php.bak HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/wp-config.php.bak", "evidence_snippet": "GET \/wp-config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Fir", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +14 \u00b7 4 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5", "950521:leak-8", "http_backup_file_scan", "http_backup_path", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:06:43 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /.env.development	Élevée	Moyen · 61
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /.env.development UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.development TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.env.development Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 61 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.development HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.development HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, li Requête brute (extrait) GET /.env.development HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "development", "http_ua_hash": "07b3f636f85048d240c220c68060800feecba27d", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "8a4e51701d196d7852353e13bcdd4450138c4d04", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 214, "payload_entropy": 5.403729942846331, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2083, "risk_waf": 92, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 92, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 61, "tag_count": 6, "anomaly_count": 0, "campaign_key": "5fec533cbc17e446e2c307860bd5db2bd11a3f41", "event_fingerprint": "96467ecf2d84d0658fb7beb3da94b4614dca2159", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 92, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 61, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c1397ca4c438ef7fc95e8a6f78f01a9b", "payload_hash": "6f4ff72cfc2445d228c0210dc4d9c8cb", "path_pattern_hash": "c0c440edf0616e70222e5cd82887a202" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 61 }, "payload_preview": "GET \/.env.development HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "method": "GET", "path": "\/.env.development", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.development HTTP\/1.1", "request_sample": "GET \/.env.development HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.env.development HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "evidence": { "method": "GET", "path": "\/.env.development", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.development HTTP\/1.1", "request_sample": "GET \/.env.development HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.env.development HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b4fb3aac710e16d7a2a48f57bfc676b6bc8e7acd", "protocol_details": { "http_method": "GET", "http_path": "\/.env.development", "request_line": "GET \/.env.development HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.development HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.env.development", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 61, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 61, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/.env.development", "request_line": "GET \/.env.development HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.env.development", "evidence_snippet": "GET \/.env.development HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +14 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:06:42 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /.env.bak	Élevée	Élevé · 65
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /.env.bak UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 29 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 950521:leak-8 Cible HTTP GET /.env.bak TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.env.bak Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.bak HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 leak-8 Payload (extrait) GET /.env.bak HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /.env.bak HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "bak", "http_ua_hash": "6f5b0a9fc247c6bb758a70fc6a40934213981d54", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "4a5fcefd2e38e385c845c219c16c9499f238dece", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 216, "payload_entropy": 5.378217548979011, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2083, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 9, "anomaly_count": 0, "campaign_key": "29e04f6850d93dbf4e9875dbc1b2067fc8f6c551", "event_fingerprint": "ed13d740c31d2c98b9a4699ea7b76b9e1f77c134", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "bd33e731a9dc71ed698fb3458da6dbe5", "payload_hash": "1345d30c8f1abbd302cd5ad97d455fc2", "path_pattern_hash": "e884c8b66a9cc0dbcd8816b9898313a2" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, ", "method": "GET", "path": "\/.env.bak", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/.env.bak HTTP\/1.1", "request_sample": "GET \/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/.env.bak", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/.env.bak HTTP\/1.1", "request_sample": "GET \/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6fc901c97b93f27a2bcbaa7f6f6b437da04816bd", "protocol_details": { "http_method": "GET", "http_path": "\/.env.bak", "request_line": "GET \/.env.bak HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML,", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.env.bak", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/.env.bak", "request_line": "GET \/.env.bak HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.env.bak", "evidence_snippet": "GET \/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML,", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +14 \u00b7 4 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "http_backup_file_scan", "http_backup_path", "http_probe_env", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:06:42 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /.env.docker	Élevée	Moyen · 61
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /.env.docker UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.docker TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.env.docker Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 61 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.docker HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.docker HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTM Requête brute (extrait) GET /.env.docker HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "docker", "http_ua_hash": "9315af92496b848eed5ed988a938df67ee36a260", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "fffaa1342f06e8670d7edda0bc9461e93e4a0f1f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 233, "payload_entropy": 5.345218051986802, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2083, "risk_waf": 92, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 92, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 61, "tag_count": 6, "anomaly_count": 0, "campaign_key": "5fec533cbc17e446e2c307860bd5db2bd11a3f41", "event_fingerprint": "1680179ea5e87eb45a9fd52e4928e4bdb52c8f9d", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 92, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 61, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "40b58db0069d1a73ee9d23fa54874615", "payload_hash": "12a7275198064dbbe72706ddd56a3a18", "path_pattern_hash": "4424df1cf14166f6194446e711e46b03" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 61 }, "payload_preview": "GET \/.env.docker HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "method": "GET", "path": "\/.env.docker", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36 Edg\/124.0.0.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.docker HTTP\/1.1", "request_sample": "GET \/.env.docker HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36 Edg\/124.0.0.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.env.docker HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "evidence": { "method": "GET", "path": "\/.env.docker", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36 Edg\/124.0.0.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.docker HTTP\/1.1", "request_sample": "GET \/.env.docker HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36 Edg\/124.0.0.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.env.docker HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "87b57934ee998ef9761ef9a4719a50ae3cde356a", "protocol_details": { "http_method": "GET", "http_path": "\/.env.docker", "request_line": "GET \/.env.docker HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36 Edg\/124\u2026", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.docker HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.env.docker", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 61, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 61, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/.env.docker", "request_line": "GET \/.env.docker HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36 Edg\/124\u2026", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.env.docker", "evidence_snippet": "GET \/.env.docker HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +14 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:06:41 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /.env.prod	Élevée	Moyen · 61
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /.env.prod UA Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko/20… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.prod TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.env.prod Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 61 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.prod HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko/20100101 Firefox/125.0 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.prod HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko/2010010 Requête brute (extrait) GET /.env.prod HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko/20100101 Firefox/125.0 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "prod", "http_ua_hash": "abcecdd24d00f76aa87a7f19ce44d01537e01df4", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "dbae5bda5d181ccfbfc6b75e40a8edbe5f27e87d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 189, "payload_entropy": 5.217414438230896, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2083, "risk_waf": 92, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 92, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 61, "tag_count": 6, "anomaly_count": 0, "campaign_key": "5fec533cbc17e446e2c307860bd5db2bd11a3f41", "event_fingerprint": "2351e3d6a8bff32927ea0c0eb7db1808deaddca1", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 92, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 61, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f631915c7d7a8dcb91e1608a166d21b7", "payload_hash": "268305f37a15f2c1793b324d137ac32c", "path_pattern_hash": "d6acfe32219429bb20e7ee2ee79adb21" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 61 }, "payload_preview": "GET \/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/2010010", "method": "GET", "path": "\/.env.prod", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.prod HTTP\/1.1", "request_sample": "GET \/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/2010010", "evidence": { "method": "GET", "path": "\/.env.prod", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.prod HTTP\/1.1", "request_sample": "GET \/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/2010010", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b9e6285980111869dcbd6fb5566cd50b94133dba", "protocol_details": { "http_method": "GET", "http_path": "\/.env.prod", "request_line": "GET \/.env.prod HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/2010010", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.env.prod", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 61, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 61, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/.env.prod", "request_line": "GET \/.env.prod HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.env.prod", "evidence_snippet": "GET \/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/2010010", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +14 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:06:41 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /.env.old	Élevée	Élevé · 65
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /.env.old UA Mozilla/5.0 (Linux; Android 14; Pixel 8) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 29 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 950521:leak-8 Cible HTTP GET /.env.old TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.env.old Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.old HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 14; Pixel 8) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 leak-8 Payload (extrait) GET /.env.old HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Linux; Android 14; Pixel 8) AppleWebKit/537.36 (KHTML, l Requête brute (extrait) GET /.env.old HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Linux; Android 14; Pixel 8) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Mobile Safari/537.36 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "old", "http_ua_hash": "572d0d5c8fdfe1422b8eda4ab577fb9f29b639e1", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "5c6d2af3e13d17105c8f5fb6187fb5c332303b42", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 222, "payload_entropy": 5.349041517345139, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2083, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 9, "anomaly_count": 0, "campaign_key": "29e04f6850d93dbf4e9875dbc1b2067fc8f6c551", "event_fingerprint": "e5d338ee2df32b42a3a5a14ffa3e7104b3c35bfa", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "cc512f8aa6b1eef151c71762d3763fdb", "payload_hash": "0b955abd9253bb3f55c9baf0c043e3d4", "path_pattern_hash": "3807eb1255fb0315f3ffbb94c31e25e0" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, l", "method": "GET", "path": "\/.env.old", "user_agent": "Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/.env.old HTTP\/1.1", "request_sample": "GET \/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, l", "evidence": { "method": "GET", "path": "\/.env.old", "user_agent": "Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/.env.old HTTP\/1.1", "request_sample": "GET \/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, l", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "81ba16203a7330c6a8f56c8433840101e7c89e22", "protocol_details": { "http_method": "GET", "http_path": "\/.env.old", "request_line": "GET \/.env.old HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, l", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.env.old", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/.env.old", "request_line": "GET \/.env.old HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.env.old", "evidence_snippet": "GET \/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, l", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +14 \u00b7 4 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "http_backup_file_scan", "http_backup_path", "http_probe_env", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:06:40 UTC	TCP	2083 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:2083 · (tentative d'exploit) · → /.env.backup	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.env.backup UA Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/605.… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.backup TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.env.backup Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 64 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive pat-0191 pat-0192 Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Probe /.env.backup Ligne de requête `GET /.env.backup HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4 Safari/605.1.15 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.backup HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/605.1.1 Requête brute (extrait) GET /.env.backup HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4 Safari/605.1.15 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "backup", "http_ua_hash": "4f8de184f8ed7de640ee9993663e3ccef9f72770", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "0cdfae489c44fe084f54d0d07b1f18ad12bec86e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 224, "payload_entropy": 5.365983315194553, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2083, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 6, "anomaly_count": 0, "campaign_key": "5fec533cbc17e446e2c307860bd5db2bd11a3f41", "event_fingerprint": "a31d1233092aa4749ef8ed294194c29ff477c06b", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 325, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0192", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0192", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191", "pat-0192" ], "matched_pattern_names": [ "Probe \/.env", "Probe \/.env.backup" ], "pattern_ids": [ "pat-0191", "pat-0192" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 14 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "428433546e1408b0c726846a5d8a3b70", "payload_hash": "497c30942b58a20252bde2c6560338f6", "path_pattern_hash": "46237bd90c824ac71e080a2ce5957ff9" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.1", "method": "GET", "path": "\/.env.backup", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.4 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.backup HTTP\/1.1", "request_sample": "GET \/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.4 Safari\/605.1.15\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.1", "evidence": { "method": "GET", "path": "\/.env.backup", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.4 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.backup HTTP\/1.1", "request_sample": "GET \/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.4 Safari\/605.1.15\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.1", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1e6c77b84e63d44ec5c6198683a64f1e54662ecf", "protocol_details": { "http_method": "GET", "http_path": "\/.env.backup", "request_line": "GET \/.env.backup HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.4 Safari\/605.1.15", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.1", "attack_vector": "config file probe \u00b7 via HTTP:2083 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.backup", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 14 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0192" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0191", "pat-0192" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/.env.backup", "request_line": "GET \/.env.backup HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.4 Safari\/605.1.15", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:2083 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.backup", "evidence_snippet": "GET \/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.1", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +14 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:06:40 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /.env.save	Élevée	Moyen · 61
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /.env.save UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.save TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.env.save Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 61 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.save HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.save HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /.env.save HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "save", "http_ua_hash": "6f5b0a9fc247c6bb758a70fc6a40934213981d54", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "b6acd8fd883f6c293e3cda5fd50434818eb0b3df", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 217, "payload_entropy": 5.369010840445591, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2083, "risk_waf": 92, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 92, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 61, "tag_count": 6, "anomaly_count": 0, "campaign_key": "5fec533cbc17e446e2c307860bd5db2bd11a3f41", "event_fingerprint": "cec72c55ee83da4c9b9a2f3226137456dd1028ab", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 92, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 61, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "bd33e731a9dc71ed698fb3458da6dbe5", "payload_hash": "82facbb12d2dbd6272af9e59c000e6e9", "path_pattern_hash": "f8bd9e65b618d21d6e757070964bc6e1" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 61 }, "payload_preview": "GET \/.env.save HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML,", "method": "GET", "path": "\/.env.save", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.save HTTP\/1.1", "request_sample": "GET \/.env.save HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.env.save HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/.env.save", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.save HTTP\/1.1", "request_sample": "GET \/.env.save HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.env.save HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "204f34419822a0c0b902798f9383a3c43bb9af55", "protocol_details": { "http_method": "GET", "http_path": "\/.env.save", "request_line": "GET \/.env.save HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.save HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML,", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.env.save", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 61, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 61, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/.env.save", "request_line": "GET \/.env.save HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.env.save", "evidence_snippet": "GET \/.env.save HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML,", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +14 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:06:39 UTC	TCP	2083 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:2083 · (tentative d'exploit) · → /.env.production	Élevée	Élevé · 67
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.env.production UA Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950406:ssrf-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /.env.production TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.env.production Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 67 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive pat-0191 pat-0194 Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Probe /.env Probe /.env.production Ligne de requête `GET /.env.production HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Règles WAF rce-0 ssrf-3 nosqli-3 leak-1 Payload (extrait) GET /.env.production HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com Requête brute (extrait) GET /.env.production HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "production", "http_ua_hash": "59c3d4f2509c82627f0eeb8e0e13ae1254eb4065", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "9b39fa6529cda07275007291b337879405a04c62", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 184, "payload_entropy": 5.112329727480016, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2083, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 67, "tag_count": 7, "anomaly_count": 0, "campaign_key": "5430420f1a5ab94a61e1cded9fca85870bf6c488", "event_fingerprint": "73b2ad31fe4f79fa391f51c9ec2ace46824d1707", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 325, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0194", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0194", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0103", "pat-0191", "pat-0194" ], "matched_pattern_names": [ "LFI Double-dot bypass", "Probe \/.env", "Probe \/.env.production" ], "pattern_ids": [ "pat-0103", "pat-0191", "pat-0194" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 67, "correlation_boost": 18 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "043937ea8abaea325dbde1020b1bdd9f", "payload_hash": "82692d18991d4e0ba804f119780ca7df", "path_pattern_hash": "a397c8c79032c8a19624fdccf1ae5680" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 67 }, "payload_preview": "GET \/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com", "method": "GET", "path": "\/.env.production", "user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.production HTTP\/1.1", "request_sample": "GET \/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com", "evidence": { "method": "GET", "path": "\/.env.production", "user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.production HTTP\/1.1", "request_sample": "GET \/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8eedfdf21fa667e5b01b4211c2b369091bfa9dbb", "protocol_details": { "http_method": "GET", "http_path": "\/.env.production", "request_line": "GET \/.env.production HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com", "attack_vector": "config file probe \u00b7 via HTTP:2083 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.production", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 67, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 67, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0194" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0191", "pat-0194" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/.env.production", "request_line": "GET \/.env.production HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:2083 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.production", "evidence_snippet": "GET \/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 4 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 7, "scan_velocity_ports_per_s": 1.49, "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:06:38 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /.env	Élevée	Moyen · 62
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /.env UA Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko/20… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.env Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko/20100101 Firefox/125.0 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko/20100101 Fir Requête brute (extrait) GET /.env HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko/20100101 Firefox/125.0 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "env", "http_ua_hash": "abcecdd24d00f76aa87a7f19ce44d01537e01df4", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "9ee0d3f55b39072ba6bec6203d26e470be80afdc", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 184, "payload_entropy": 5.209471861055072, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2083, "risk_waf": 92, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 92, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 62, "tag_count": 7, "anomaly_count": 0, "campaign_key": "ce33d03d801b9024fb0f06742de3eb78c0d2f20e", "event_fingerprint": "1db6b7bad8d9f1c4182cc1f54e08ab4e6ac8e572", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 92, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f631915c7d7a8dcb91e1608a166d21b7", "payload_hash": "6621b78becd85de79976ba74cb950dea", "path_pattern_hash": "aef81e7735de8f42b73e111497498c8b" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/.env HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Fir", "method": "GET", "path": "\/.env", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env HTTP\/1.1", "request_sample": "GET \/.env HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.env HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Fir", "evidence": { "method": "GET", "path": "\/.env", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env HTTP\/1.1", "request_sample": "GET \/.env HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.env HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Fir", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fd50bfa1c9b98e984cc518201cf38d65b784a7db", "protocol_details": { "http_method": "GET", "http_path": "\/.env", "request_line": "GET \/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Fir", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.env", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/.env", "request_line": "GET \/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.env", "evidence_snippet": "GET \/.env HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Fir", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +18 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 7, "scan_velocity_ports_per_s": 2.06, "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_probe_env", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:06:37 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /.git/refs/heads/main	Élevée	Élevé · 65
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /.git/refs/heads/main UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950513:leak-0 Cible HTTP GET /.git/refs/heads/main TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.git/refs/heads/main Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /.git/refs/heads/main HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-0 Payload (extrait) GET /.git/refs/heads/main HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537 Requête brute (extrait) GET /.git/refs/heads/main HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 4, "http_path_ext": "git\/refs\/heads\/main", "http_ua_hash": "6f5b0a9fc247c6bb758a70fc6a40934213981d54", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "224aef6c29ba33c300fde4c406757d32c8a6334c", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 228, "payload_entropy": 5.371073814299326, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2083, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 9, "anomaly_count": 0, "campaign_key": "eccbdf25b966cc63d540005da1bbbe7c41dfe4d8", "event_fingerprint": "c1829a4eac8a0f7b33d0566e7058ed19839c5fa0", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "bd33e731a9dc71ed698fb3458da6dbe5", "payload_hash": "a49fb592611f4c2d97437d9d1b66bfbc", "path_pattern_hash": "60be1b30b8f9cc34bcfa237561933520" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/.git\/refs\/heads\/main HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "method": "GET", "path": "\/.git\/refs\/heads\/main", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950513:leak-0" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-0" ], "request_line": "GET \/.git\/refs\/heads\/main HTTP\/1.1", "request_sample": "GET \/.git\/refs\/heads\/main HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.git\/refs\/heads\/main HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "evidence": { "method": "GET", "path": "\/.git\/refs\/heads\/main", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950513:leak-0" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-0" ], "request_line": "GET \/.git\/refs\/heads\/main HTTP\/1.1", "request_sample": "GET \/.git\/refs\/heads\/main HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.git\/refs\/heads\/main HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "93fc886ab588cf9e7c8446244c6767205f9a1cb7", "protocol_details": { "http_method": "GET", "http_path": "\/.git\/refs\/heads\/main", "request_line": "GET \/.git\/refs\/heads\/main HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.git\/refs\/heads\/main HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.git\/refs\/heads\/main", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/.git\/refs\/heads\/main", "request_line": "GET \/.git\/refs\/heads\/main HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.git\/refs\/heads\/main", "evidence_snippet": "GET \/.git\/refs\/heads\/main HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 4 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 7, "scan_velocity_ports_per_s": 2.89, "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950513:leak-0", "http_backup_file_scan", "http_git_exposure", "http_probe_git", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:06:37 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /.git/index	Élevée	Élevé · 65
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /.git/index UA Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/537.… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950513:leak-0 Cible HTTP GET /.git/index TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.git/index Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Probe /.git/index Ligne de requête `GET /.git/index HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-0 Payload (extrait) GET /.git/index HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/537.36 ( Requête brute (extrait) GET /.git/index HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "git\/index", "http_ua_hash": "040a89826d3eb8f60f68abe05208a91b116b5286", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "599e59a42cb71373111f2fc13a586e0adc0040e3", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 223, "payload_entropy": 5.3818025469047726, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2083, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 9, "anomaly_count": 0, "campaign_key": "eccbdf25b966cc63d540005da1bbbe7c41dfe4d8", "event_fingerprint": "14b3ba173ef2f98bdcbd399e5f40608358eff90e", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0199" ], "matched_pattern_names": [ "Probe \/.git\/index" ], "pattern_ids": [ "pat-0199" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b24c868eb88f09716d34b010b594ad74", "payload_hash": "f0dc7a1eab760a9b6227ffcec8ffe84c", "path_pattern_hash": "1a24fbe3e34c1ea547b8677072fa65d3" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/.git\/index HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (", "method": "GET", "path": "\/.git\/index", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950513:leak-0" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-0" ], "request_line": "GET \/.git\/index HTTP\/1.1", "request_sample": "GET \/.git\/index HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.git\/index HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (", "evidence": { "method": "GET", "path": "\/.git\/index", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950513:leak-0" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-0" ], "request_line": "GET \/.git\/index HTTP\/1.1", "request_sample": "GET \/.git\/index HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.git\/index HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b473359ae132e76e0def9ea7a3f8934a43dadb2e", "protocol_details": { "http_method": "GET", "http_path": "\/.git\/index", "request_line": "GET \/.git\/index HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.git\/index HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.git\/index", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/.git\/index", "request_line": "GET \/.git\/index HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.git\/index", "evidence_snippet": "GET \/.git\/index HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 4 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 7, "scan_velocity_ports_per_s": 2.4, "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950513:leak-0", "http_backup_file_scan", "http_git_exposure", "http_probe_git", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:06:36 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /.git/refs/heads/master	Élevée	Élevé · 65
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /.git/refs/heads/master UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950513:leak-0 Cible HTTP GET /.git/refs/heads/master TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.git/refs/heads/master Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /.git/refs/heads/master HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-0 Payload (extrait) GET /.git/refs/heads/master HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHT Requête brute (extrait) GET /.git/refs/heads/master HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 4, "http_path_ext": "git\/refs\/heads\/master", "http_ua_hash": "07b3f636f85048d240c220c68060800feecba27d", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "e2ddeb0180247c800c169d74d130a5c8f6d3cfe2", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 220, "payload_entropy": 5.415015066322451, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2083, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 9, "anomaly_count": 0, "campaign_key": "eccbdf25b966cc63d540005da1bbbe7c41dfe4d8", "event_fingerprint": "22887339b443a07807e60bb80a41b1f9b62fc106", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c1397ca4c438ef7fc95e8a6f78f01a9b", "payload_hash": "c144b8614c16cee9f135b6c3ff8f8486", "path_pattern_hash": "f5219a1b30edcca8d01268be8b2b506c" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/.git\/refs\/heads\/master HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHT", "method": "GET", "path": "\/.git\/refs\/heads\/master", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950513:leak-0" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-0" ], "request_line": "GET \/.git\/refs\/heads\/master HTTP\/1.1", "request_sample": "GET \/.git\/refs\/heads\/master HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.git\/refs\/heads\/master HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHT", "evidence": { "method": "GET", "path": "\/.git\/refs\/heads\/master", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950513:leak-0" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-0" ], "request_line": "GET \/.git\/refs\/heads\/master HTTP\/1.1", "request_sample": "GET \/.git\/refs\/heads\/master HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.git\/refs\/heads\/master HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHT", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "933e2f73006e3b6f5b08fcc1eb26c8cff411f2d3", "protocol_details": { "http_method": "GET", "http_path": "\/.git\/refs\/heads\/master", "request_line": "GET \/.git\/refs\/heads\/master HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.git\/refs\/heads\/master HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHT", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.git\/refs\/heads\/master", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/.git\/refs\/heads\/master", "request_line": "GET \/.git\/refs\/heads\/master HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.git\/refs\/heads\/master", "evidence_snippet": "GET \/.git\/refs\/heads\/master HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHT", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 4 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 7, "scan_velocity_ports_per_s": 3.63, "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950513:leak-0", "http_backup_file_scan", "http_git_exposure", "http_probe_git", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:06:35 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /.git/HEAD	Élevée	Élevé · 65
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /.git/HEAD UA Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/605.… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950513:leak-0 Cible HTTP GET /.git/HEAD TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.git/HEAD Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) ET .git HEAD Probe /.git/HEAD Ligne de requête `GET /.git/HEAD HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4 Safari/605.1.15 Règles WAF rce-0 nosqli-3 leak-0 Payload (extrait) GET /.git/HEAD HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/605.1.15 Requête brute (extrait) GET /.git/HEAD HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4 Safari/605.1.15 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "git\/head", "http_ua_hash": "4f8de184f8ed7de640ee9993663e3ccef9f72770", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "a5bdb37ad3aa5fc1e8e58237e6cb768f00ae6952", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 222, "payload_entropy": 5.356928938413574, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2083, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 9, "anomaly_count": 0, "campaign_key": "eccbdf25b966cc63d540005da1bbbe7c41dfe4d8", "event_fingerprint": "20adab89794dfd3ce901d81c816b7b8e611932a4", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0749", "pat-0197" ], "matched_pattern_names": [ "ET .git HEAD", "Probe \/.git\/HEAD" ], "pattern_ids": [ "pat-0749", "pat-0197" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "428433546e1408b0c726846a5d8a3b70", "payload_hash": "2324a6916a7f37817a22524f99a3a4e2", "path_pattern_hash": "353579f4025217f1143d65b4213aaffa" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15 ", "method": "GET", "path": "\/.git\/HEAD", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.4 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950513:leak-0" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-0" ], "request_line": "GET \/.git\/HEAD HTTP\/1.1", "request_sample": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.4 Safari\/605.1.15\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15", "evidence": { "method": "GET", "path": "\/.git\/HEAD", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.4 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950513:leak-0" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-0" ], "request_line": "GET \/.git\/HEAD HTTP\/1.1", "request_sample": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.4 Safari\/605.1.15\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6b69539df8f7fd07d7c9e7748e0d0d917d70d80b", "protocol_details": { "http_method": "GET", "http_path": "\/.git\/HEAD", "request_line": "GET \/.git\/HEAD HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.4 Safari\/605.1.15", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.git\/HEAD", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/.git\/HEAD", "request_line": "GET \/.git\/HEAD HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.4 Safari\/605.1.15", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.git\/HEAD", "evidence_snippet": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 4 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 7, "scan_velocity_ports_per_s": 47.33, "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950513:leak-0", "http_backup_file_scan", "http_git_exposure", "http_probe_git", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:06:35 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /.git/config	Élevée	Élevé · 65
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /.git/config UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950513:leak-0 Cible HTTP GET /.git/config TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.git/config Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Probe /.git/config Ligne de requête `GET /.git/config HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0 Règles WAF rce-0 nosqli-3 leak-0 Payload (extrait) GET /.git/config HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTM Requête brute (extrait) GET /.git/config HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "git\/config", "http_ua_hash": "9315af92496b848eed5ed988a938df67ee36a260", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "e2f253eab0d0cf5422d24d22ae2a4954398768df", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 233, "payload_entropy": 5.333025668946655, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2083, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 9, "anomaly_count": 0, "campaign_key": "eccbdf25b966cc63d540005da1bbbe7c41dfe4d8", "event_fingerprint": "66f4f7bee89277b16e7a447959d7f731604c4b3b", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0198" ], "matched_pattern_names": [ "Probe \/.git\/config" ], "pattern_ids": [ "pat-0198" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "40b58db0069d1a73ee9d23fa54874615", "payload_hash": "d8180ff3d3bd3bfcf9e72526f4f1f0f0", "path_pattern_hash": "3ec26e4f0817b37785cd5e68fed88892" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "method": "GET", "path": "\/.git\/config", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36 Edg\/124.0.0.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950513:leak-0" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-0" ], "request_line": "GET \/.git\/config HTTP\/1.1", "request_sample": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36 Edg\/124.0.0.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "evidence": { "method": "GET", "path": "\/.git\/config", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36 Edg\/124.0.0.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950513:leak-0" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-0" ], "request_line": "GET \/.git\/config HTTP\/1.1", "request_sample": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36 Edg\/124.0.0.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f7459de3a68109fcd44ee8d7ecd4f43c6a27a5a6", "protocol_details": { "http_method": "GET", "http_path": "\/.git\/config", "request_line": "GET \/.git\/config HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36 Edg\/124\u2026", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.git\/config", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/.git\/config", "request_line": "GET \/.git\/config HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36 Edg\/124\u2026", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.git\/config", "evidence_snippet": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 4 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 7, "scan_velocity_ports_per_s": 10.93, "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950513:leak-0", "http_backup_file_scan", "http_git_exposure", "http_probe_git", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:06:34 UTC	TCP	2095	—	Scan de ports port scan syn · port 2095 · (reconnaissance)	Faible	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2095 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +12 Risque capteur Moyen · 42 Confiance : Confiance élevée (100 %) — signaux convergents Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Amazon.com, Inc.", "service": null, "app_proto": null, "asn": 16509, "country": "KR", "dst_port": 2095, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.9, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 0 }, "risk_score": 42, "tag_count": 0, "anomaly_count": 0, "campaign_key": "71fde937e85a7f9549deacf18c1a305f326580ab", "event_fingerprint": "beb69de90685708107478fb51eb34bd128b33d3d", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 0, "risk_score": 42, "correlation_boost": 12 }, "named_classification_skipped": false, "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 2095, "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "365d8b4b7a0fc9321cebe5df753160431fb29fe1", "protocol_details": { "port": 2095 }, "attack_vector": "port scan syn \u00b7 port 2095 \u00b7 (reconnaissance)", "target_port_label": "2095", "confidence_reason": "Confiance \u00e9lev\u00e9e (100 %) \u2014 signaux convergents", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 multi-protocole (3 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 0, "risk_score": 42, "correlation_boost": 12 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": null, "service_label_fr": null, "dst_port": 2095, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": [ "scan_rapide", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +12", "protocol_details": { "port": 2095 }, "attack_vector": "port scan syn \u00b7 port 2095 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "2095", "emulator_service": null, "confidence_reason": "Confiance \u00e9lev\u00e9e (100 %) \u2014 signaux convergents", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +12", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "2095" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "rapid_port_scan": true, "rapid_scan_distinct_ports": 3, "scan_velocity_ports_per_s": 30, "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "cpanel-ssl", "port:2077", "port:2095" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 12, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "asn_dc_heuristic": true }
18/06/2026 00:06:34 UTC	TCP	2087 · CPANEL WHM	cpanel-whm	Scan de ports port scan syn · via CPANEL WHM:2087 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur CPANEL-WHM WAF — Recommandation Surveiller Tags cpanel_whm_emulated net_cpanel_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2087 Chemin / cible — Service CPANEL WHM Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "cpanel-whm", "app_proto": "cpanel-whm", "asn": 16509, "country": "KR", "dst_port": 2087, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.3, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "3cc87787de2487ea19b1ca6395cfb4b7f29c83e1", "event_fingerprint": "bd94c1be47794e5b05816ea1bc287e14296ba082", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "cpanel-whm", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 2087, "service": "cpanel-whm", "service_name": "cpanel-whm", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ba57e2fd8ac1f8e44ea7217c6e5d041b38e985cf", "protocol_details": { "port": 2087, "service": "cpanel-whm", "service_label_fr": "CPANEL WHM" }, "attack_vector": "port scan syn \u00b7 via CPANEL WHM:2087 \u00b7 (reconnaissance)", "target_port_label": "2087 \u00b7 CPANEL WHM", "emulator_service": "cpanel-whm", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via CPANEL WHM \u2014 multi-protocole (4 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "cpanel-whm", "service_label_fr": "CPANEL WHM", "dst_port": 2087, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-cpanel-whm", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "port": 2087, "service": "cpanel-whm", "service_label_fr": "CPANEL WHM" }, "attack_vector": "port scan syn \u00b7 via CPANEL WHM:2087 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "2087 \u00b7 CPANEL WHM", "emulator_service": "cpanel-whm", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "cpanel_whm", "service_banner": "honeypot-cpanel-whm", "service_os": "linux", "dst_port": "2087" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 4, "port_scan_ports_sample": [ 2077, 2083, 2087, 2095 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 4, "scan_velocity_ports_per_s": 40, "multi_protocol_correlation": true, "multi_protocol_count": 4, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "port:2077", "port:2095" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "cpanel_whm_emulated", "net_cpanel_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:06:34 UTC	TCP	2078	—	Scan de ports port scan syn · port 2078 · (reconnaissance)	Faible	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2078 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 42 Confiance : Confiance élevée (100 %) — signaux convergents Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Amazon.com, Inc.", "service": null, "app_proto": null, "asn": 16509, "country": "KR", "dst_port": 2078, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 0.2, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 0 }, "risk_score": 42, "tag_count": 0, "anomaly_count": 0, "campaign_key": "1950897cdf5c623ca137b6961ae3e9ab8073e242", "event_fingerprint": "fe4076eb8064813c8708b6e0d01947d5de16950c", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "named_classification_skipped": false, "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 2078, "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6406d85cd04efb452fe32f89797732868430c45f", "protocol_details": { "port": 2078 }, "attack_vector": "port scan syn \u00b7 port 2078 \u00b7 (reconnaissance)", "target_port_label": "2078", "confidence_reason": "Confiance \u00e9lev\u00e9e (100 %) \u2014 signaux convergents", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 multi-protocole (5 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": null, "service_label_fr": null, "dst_port": 2078, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "port": 2078 }, "attack_vector": "port scan syn \u00b7 port 2078 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "2078", "emulator_service": null, "confidence_reason": "Confiance \u00e9lev\u00e9e (100 %) \u2014 signaux convergents", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "2078" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 5, "port_scan_ports_sample": [ 2077, 2078, 2083, 2087, 2095 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 5, "scan_velocity_ports_per_s": 50, "multi_protocol_correlation": true, "multi_protocol_count": 5, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "port:2077", "port:2078", "port:2095" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "asn_dc_heuristic": true }

3.38.144.20

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence