Renseignement sur les menaces

Royaume-Uni

31.14.254.86

FAI Hydra Communications Ltd Première vue 25/04/2026 08:41 UTC Dernière vue 18/06/2026 04:52 UTC Risque Critique

Période analysée : 2026-05-20 → 2026-06-19

Activité suspecte — risque 59/100 (Moyen) — MITRE TA0001 — confiance 95 % — via HTTP

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

100

Critique · Risque max (7j) Critique

Synthèse exécutive

Profil de menace

Score de risque 100/100 Critique

Première observation 25/04/2026 08:41 UTC

Dernière observation 18/06/2026 04:52 UTC

Événements (période) 82

MITRE ATT&CK principal TA0001 16 occurrences

Activité suspecte — risque 59/100 (Moyen) — MITRE TA0001 — confiance 95 % — via HTTP

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « http_smuggling_probe » (signaux protocolaires) · confiance 95%

Confiance 95 % — Score WAF 100 · 5 tag(s) WAF

Comparaison ASN / FAI

ASN 25369 · 31.14.254.0/24 · RIPENCC — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 82 événements sur la période pour cette IP.

185.216.145.180 Sonde SAP Diag/GUI 19/06/2026 15:19 UTC
69.5.169.141 tor exit probe 19/06/2026 15:18 UTC
31.14.254.78 Sonde RDP 19/06/2026 15:18 UTC
193.176.29.29 Sonde RDP 19/06/2026 15:18 UTC
69.5.169.139 Sonde RDP 19/06/2026 15:18 UTC
188.240.59.6 Traversal LFI 19/06/2026 15:15 UTC
89.37.172.138 Traversal LFI 19/06/2026 15:14 UTC
31.14.254.2 Sonde HTTP smuggling 19/06/2026 15:14 UTC

Événements (filtres)

Première observation

25/04/2026 08:41 UTC

Dernière observation

18/06/2026 04:52 UTC

Dernière activité (filtres)

18/06/2026 04:52 UTC

Événements 7j

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 45 TLS TCP 20 NFS TCP 1 OPENVPN TCP 1 SAP ICM TCP 1 GLASSFISH TCP 1 MINECRAFT TCP 1

HTTP

TLS

NFS

OPENVPN

SAP ICM

GLASSFISH

Géolocalisation

Origine réseau déclarée

Royaume-Uni unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Hydra Communications Ltd 83 Port 6046 http_smuggling_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Tentative d'exploit

Chaîne d'attaque

Exploitation

Vecteur d'attaque

http smuggling probe · via HTTP:6046 · (tentative d'exploit) · → /mcp

Détails protocole

Méthode: POST
Chemin: /mcp
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)

Aperçu payload

POST /mcp HTTP/1.1 Host: 62.3.50.33:6046 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-

Port / service

6046 · HTTP

Service émulé

HTTP

Raison confiance

Confiance 95 % — Motif catalogue confirmé · 5 tag(s) WAF

Technique MITRE

TA0001

Persona capteur

mail.sensor-1.internal

Recommandation

Investiguer

Rôle capteur

Renseignement menaces

Signaux de précision

pat-0842

Confiance

95%

Famille de menace

web_injection

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

82 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

82 événement(s) — page 1/2

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
18/06/2026 04:52:49 UTC	TCP	6046 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:6046 · (tentative d'exploit) · → /mcp	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole POST /mcp UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 34 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950383:rce-14 950406:ssrf-3 Cible HTTP POST /mcp TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 6046 Chemin / cible /mcp Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 59 Confiance : Confiance 95 % — Motif catalogue confirmé · 5 tag(s) WAF Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL LFI Double-dot bypass Ligne de requête `POST /mcp HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 rce-14 ssrf-3 nosqli-3 Payload (extrait) POST /mcp HTTP/1.1 Host: 62.3.50.33:6046 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content- Requête brute (extrait) POST /mcp HTTP/1.1 Host: 62.3.50.33:6046 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Length: 151 Accept: application/json, text/event-stream Connection: close Content-Type: application/json Mcp-Protocol-Versio Meta JSON brut { "http_header_count": 8, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "b117f50cd819d0abab2d5e2a6d84e80dc35d75a5", "http_target_hash": "b6dd5207698ea0722ea3c46de82524f56e66f110", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 447, "payload_entropy": 5.206336872561806, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 6046, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 1.9, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "d527af0bd3d87b84e5037cc14a6c175a6b6b6ffa", "event_fingerprint": "e81bb8848cd116897280de267cd311d50ff2be86", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842", "pat-0103" ], "matched_pattern_names": [ "CRS 921130 duplicate CL", "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0842", "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "2197f205045e5655819c52ccdf384627", "path_pattern_hash": "88fe637beab867e285c088d60d6cc3b3" }, "target_context": { "dst_port": 6046, "service": "http", "service_name": "http", "risk_score": 59 }, "payload_preview": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:6046\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-", "method": "POST", "path": "\/mcp", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3" ], "request_line": "POST \/mcp HTTP\/1.1", "request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:6046\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Versio", "payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:6046\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-", "evidence": { "method": "POST", "path": "\/mcp", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3" ], "request_line": "POST \/mcp HTTP\/1.1", "request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:6046\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Versio", "payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:6046\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f3118f6c8f71795d346eda59e58441cba7cf2e4b", "protocol_details": { "http_method": "POST", "http_path": "\/mcp", "request_line": "POST \/mcp HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 6046, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:6046\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-", "attack_vector": "http smuggling probe \u00b7 via HTTP:6046 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp", "target_port_label": "6046 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP", "confidence_pct": 95, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 6046, "protocol_emulated": null, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "POST", "http_path": "\/mcp", "request_line": "POST \/mcp HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 6046, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:6046 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp", "evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:6046\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-", "target_port_label": "6046 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "6046" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3" ] }
18/06/2026 01:31:30 UTC	TCP	8000 · SAP ICM	sap-icm	Sonde SAP ICM HTTP Sonde SAP ICM / WebDynpro · via SAP ICM:8000 · (sonde / probe)	Élevée	Faible · 34
Étape Sonde / probe Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-ICM WAF — Recommandation Surveiller Tags http_get_probe mozi_pattern net_sap_web_probe sap_icm_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8000 Chemin / cible — Service SAP ICM Payload GET / HTTP/1.1 Host: 62.3.50.33:8000 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Pourquoi cette classification : Type « sap_web_probe » (signaux protocolaires) · confiance 0% Confiance classification 10% Corrélation +10 Risque capteur Faible · 34 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) LFI Double-dot bypass User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8000 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8000 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c", "emulator_response_len": 141, "bytes_in": 173, "payload_entropy": 5.174570842806656, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "sap-icm", "app_proto": "sap-icm", "asn": 25369, "country": "GB", "dst_port": 8000, "risk_waf": 8, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 48, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 2.1, "risk_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 0, "protocol": 48, "novelty": 25 }, "risk_score": 34, "tag_count": 5, "anomaly_count": 0, "campaign_key": "f4d3bfae803bd07fc62331c16ac15c5323341684", "event_fingerprint": "40ac2e001fc92fc4c26729171b1b914e26c42c6a", "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0.1, "classification_confidence": 0.1, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 0, "protocol": 48, "novelty": 25, "risk_score": 34, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "sap-icm", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "e530f0b6f0cebc9667596570e7c54d5b", "path_pattern_hash": "2dea5f3383fd8694e14eaf8b920fd9fc" }, "target_context": { "dst_port": 8000, "service": "sap-icm", "service_name": "sap-icm", "risk_score": 34 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8000\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8000\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8000\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8000\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8000\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "adc62645b0ab5a10c1560140ec6ce2d1430274ed", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8000\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "port": 8000, "service": "sap-icm", "service_label_fr": "SAP ICM" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8000\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "attack_vector": "Sonde SAP ICM \/ WebDynpro \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)", "target_port_label": "8000 \u00b7 SAP ICM", "emulator_service": "sap-icm", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 34\/100", "confidence_pct": 10, "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 0, "protocol": 48, "novelty": 25, "risk_score": 34, "correlation_boost": 10 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 34, "risk_label": "Faible", "service_name": "sap-icm", "service_label_fr": "SAP ICM", "dst_port": 8000, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-icm", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8000\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "port": 8000, "service": "sap-icm", "service_label_fr": "SAP ICM" }, "attack_vector": "Sonde SAP ICM \/ WebDynpro \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8000\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "target_port_label": "8000 \u00b7 SAP ICM", "emulator_service": "sap-icm", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 10 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (31.14.254.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_icm", "service_banner": "honeypot-sap-icm", "service_os": "linux", "dst_port": "8000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "31.14.254.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe", "mozi_pattern", "net_sap_web_probe", "sap_icm_emulated", "sap_icm_payload" ] }
17/06/2026 13:59:32 UTC	TCP	20749 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:20749 · (tentative d'exploit) · → /sse	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0001 TA0001 TA0002 Protocole GET /sse UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET /sse TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20749 Chemin / cible /sse Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 69% Corrélation +10 Risque capteur Moyen · 56 Confiance : Confiance 59 % — 4 tag(s) WAF Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /sse HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /sse HTTP/1.1 Host: 62.3.50.33:20749 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: Requête brute (extrait) GET /sse HTTP/1.1 Host: 62.3.50.33:20749 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: text/event-stream Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "0b6119a7420e5ad8e788dd1f42c476ffa7891a78", "http_target_hash": "a86b90c44ea188f3d86201cc14f47bf56d184d49", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 191, "payload_entropy": 5.193897807078057, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 20749, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 56, "tag_count": 4, "anomaly_count": 0, "campaign_key": "b7069f766b700feccea295890a46625efd70bfc3", "event_fingerprint": "a356d423eaa0368f8b561d624225709fffd1ed8e", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.69, "classification_confidence": 0.69, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 56, "correlation_boost": 10 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "f02bb25982d8d9196eac199f3a1ff86e", "path_pattern_hash": "9c55a765acd7167a274de1a30a6df566" }, "target_context": { "dst_port": 20749, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:20749\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: ", "method": "GET", "path": "\/sse", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/sse HTTP\/1.1", "request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:20749\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:20749\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:", "evidence": { "method": "GET", "path": "\/sse", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/sse HTTP\/1.1", "request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:20749\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:20749\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1b465b802cca92ca847333f429b9abe3ef567dcf", "protocol_details": { "http_method": "GET", "http_path": "\/sse", "request_line": "GET \/sse HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 20749, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:20749\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:", "attack_vector": "lfi path traversal \u00b7 via HTTP:20749 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse", "target_port_label": "20749 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via HTTP \u2014 campagne \/24 (31.14.254.0\/24)", "confidence_pct": 69, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 56, "correlation_boost": 10 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20749, "protocol_emulated": null, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "http_method": "GET", "http_path": "\/sse", "request_line": "GET \/sse HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 20749, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:20749 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse", "evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:20749\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:", "target_port_label": "20749 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 69 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 4 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (31.14.254.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20749" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "31.14.254.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ] }
17/06/2026 13:47:22 UTC	TCP	4514 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:4514 · (tentative d'exploit) · → /sse	Élevée	Moyen · 57
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0001 TA0001 TA0002 Protocole GET /sse UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET /sse TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4514 Chemin / cible /sse Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 69% Corrélation +10 Risque capteur Moyen · 57 Confiance : Confiance 59 % — 4 tag(s) WAF Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /sse HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /sse HTTP/1.1 Host: 62.3.50.33:4514 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: t Requête brute (extrait) GET /sse HTTP/1.1 Host: 62.3.50.33:4514 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: text/event-stream Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "6789dfffe5b72c52efa78042ffae9be66e331b44", "http_target_hash": "a86b90c44ea188f3d86201cc14f47bf56d184d49", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 190, "payload_entropy": 5.159280279356831, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 4514, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 57, "tag_count": 4, "anomaly_count": 0, "campaign_key": "af0a30cac50acaa38e23738b5a1521848412e3aa", "event_fingerprint": "dfdaa6ff39ebf69434e8e88107277b99d41175ad", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.69, "classification_confidence": 0.69, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 57, "correlation_boost": 10 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "1128aecb652ea888db29659524006247", "path_pattern_hash": "9c55a765acd7167a274de1a30a6df566" }, "target_context": { "dst_port": 4514, "service": "http", "service_name": "http", "risk_score": 57 }, "payload_preview": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:4514\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: t", "method": "GET", "path": "\/sse", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/sse HTTP\/1.1", "request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:4514\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:4514\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: t", "evidence": { "method": "GET", "path": "\/sse", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/sse HTTP\/1.1", "request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:4514\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:4514\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: t", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a7e0d0489c39dd8d34a42ec810c65ff3d08d6ec3", "protocol_details": { "http_method": "GET", "http_path": "\/sse", "request_line": "GET \/sse HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 4514, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:4514\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: t", "attack_vector": "lfi path traversal \u00b7 via HTTP:4514 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse", "target_port_label": "4514 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via HTTP \u2014 campagne \/24 (31.14.254.0\/24)", "confidence_pct": 69, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 57, "correlation_boost": 10 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 57, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4514, "protocol_emulated": null, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "http_method": "GET", "http_path": "\/sse", "request_line": "GET \/sse HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 4514, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:4514 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse", "evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:4514\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: t", "target_port_label": "4514 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 69 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 4 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (31.14.254.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4514" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "31.14.254.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ] }
17/06/2026 13:42:20 UTC	TCP	11064 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:11064 · (tentative d'exploit) · → /sse	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0001 TA0001 TA0002 Protocole GET /sse UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET /sse TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 11064 Chemin / cible /sse Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 69% Corrélation +10 Risque capteur Moyen · 59 Confiance : Confiance 59 % — 4 tag(s) WAF Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /sse HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /sse HTTP/1.1 Host: 62.3.50.33:11064 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: Requête brute (extrait) GET /sse HTTP/1.1 Host: 62.3.50.33:11064 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: text/event-stream Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "1011749e44d96d056b2f3db868adf62d5b56d917", "http_target_hash": "a86b90c44ea188f3d86201cc14f47bf56d184d49", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 191, "payload_entropy": 5.158009048060919, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 11064, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 59, "tag_count": 4, "anomaly_count": 0, "campaign_key": "76ffd9b1a1ebf49b501416c186e0eed256741490", "event_fingerprint": "a24e590391cc670af1dfc5a0c7bb4727e836752b", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.69, "classification_confidence": 0.69, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 59, "correlation_boost": 10 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "5b323d4873856533744b3d368b8a8bbe", "path_pattern_hash": "9c55a765acd7167a274de1a30a6df566" }, "target_context": { "dst_port": 11064, "service": "http", "service_name": "http", "risk_score": 59 }, "payload_preview": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:11064\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: ", "method": "GET", "path": "\/sse", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/sse HTTP\/1.1", "request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:11064\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:11064\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:", "evidence": { "method": "GET", "path": "\/sse", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/sse HTTP\/1.1", "request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:11064\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:11064\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f9aa00c4f78be5af67cab30d675fe594eafb00ec", "protocol_details": { "http_method": "GET", "http_path": "\/sse", "request_line": "GET \/sse HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 11064, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:11064\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:", "attack_vector": "lfi path traversal \u00b7 via HTTP:11064 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse", "target_port_label": "11064 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via HTTP \u2014 campagne \/24 (31.14.254.0\/24)", "confidence_pct": 69, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 59, "correlation_boost": 10 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 59, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 11064, "protocol_emulated": null, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "http_method": "GET", "http_path": "\/sse", "request_line": "GET \/sse HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 11064, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:11064 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse", "evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:11064\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:", "target_port_label": "11064 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 69 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 4 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (31.14.254.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "11064" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "31.14.254.0\/24", "coordinated_ip_count": 4, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ] }
17/06/2026 13:07:21 UTC	TCP	29440 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:29440 · (tentative d'exploit) · → /sse	Élevée	Moyen · 57
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0001 TA0001 TA0002 Protocole GET /sse UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET /sse TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 29440 Chemin / cible /sse Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 69% Corrélation +10 Risque capteur Moyen · 57 Confiance : Confiance 59 % — 4 tag(s) WAF Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /sse HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /sse HTTP/1.1 Host: 62.3.50.33:29440 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: Requête brute (extrait) GET /sse HTTP/1.1 Host: 62.3.50.33:29440 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: text/event-stream Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "b728199a62e8bc4de8f3e9699b5a0fe651012d0b", "http_target_hash": "a86b90c44ea188f3d86201cc14f47bf56d184d49", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 191, "payload_entropy": 5.1834266028895755, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 29440, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 57, "tag_count": 4, "anomaly_count": 0, "campaign_key": "40f58f2e2a0c6237c66fa94e38569a91686d8ea2", "event_fingerprint": "f768abba1d095f6b1f7bca4909d1518a53dba307", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.69, "classification_confidence": 0.69, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 57, "correlation_boost": 10 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "4b52c15e4cba2f68f042405e6f67ee19", "path_pattern_hash": "9c55a765acd7167a274de1a30a6df566" }, "target_context": { "dst_port": 29440, "service": "http", "service_name": "http", "risk_score": 57 }, "payload_preview": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:29440\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: ", "method": "GET", "path": "\/sse", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/sse HTTP\/1.1", "request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:29440\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:29440\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:", "evidence": { "method": "GET", "path": "\/sse", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/sse HTTP\/1.1", "request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:29440\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:29440\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d38fc6211744b0d4f30f3f26e98858bcf0041d45", "protocol_details": { "http_method": "GET", "http_path": "\/sse", "request_line": "GET \/sse HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 29440, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:29440\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:", "attack_vector": "lfi path traversal \u00b7 via HTTP:29440 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse", "target_port_label": "29440 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via HTTP \u2014 campagne \/24 (31.14.254.0\/24)", "confidence_pct": 69, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 57, "correlation_boost": 10 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 57, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 29440, "protocol_emulated": null, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "http_method": "GET", "http_path": "\/sse", "request_line": "GET \/sse HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 29440, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:29440 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse", "evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:29440\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:", "target_port_label": "29440 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 69 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 4 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (31.14.254.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "29440" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "31.14.254.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ] }
17/06/2026 06:23:34 UTC	TCP	14440 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:14440 · (tentative d'exploit) · → /mcp	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0001 TA0001 TA0002 Protocole POST /mcp UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 34 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950383:rce-14 950406:ssrf-3 Cible HTTP POST /mcp TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 14440 Chemin / cible /mcp Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +10 Risque capteur Moyen · 63 Confiance : Confiance 95 % — Motif catalogue confirmé · 5 tag(s) WAF Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL LFI Double-dot bypass Ligne de requête `POST /mcp HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 rce-14 ssrf-3 nosqli-3 Payload (extrait) POST /mcp HTTP/1.1 Host: 62.3.50.33:14440 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content Requête brute (extrait) POST /mcp HTTP/1.1 Host: 62.3.50.33:14440 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Length: 151 Accept: application/json, text/event-stream Connection: close Content-Type: application/json Mcp-Protocol-Versi Meta JSON brut { "http_header_count": 8, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "eeacdd454b95ac0981a2aa8e93190b89a1ca0f2d", "http_target_hash": "b6dd5207698ea0722ea3c46de82524f56e66f110", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 448, "payload_entropy": 5.213033876491124, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 14440, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.8, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 63, "tag_count": 5, "anomaly_count": 0, "campaign_key": "49f1da54141487b6a502aad510cda641b36dd53a", "event_fingerprint": "17ff02b84394a53e66661aa364033fb7a66b8385", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842", "pat-0103" ], "matched_pattern_names": [ "CRS 921130 duplicate CL", "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0842", "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 63, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "8d756cf613ee95d4e6af2dd5e46d524a", "path_pattern_hash": "88fe637beab867e285c088d60d6cc3b3" }, "target_context": { "dst_port": 14440, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:14440\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent", "method": "POST", "path": "\/mcp", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3" ], "request_line": "POST \/mcp HTTP\/1.1", "request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:14440\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Versi", "payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:14440\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent", "evidence": { "method": "POST", "path": "\/mcp", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3" ], "request_line": "POST \/mcp HTTP\/1.1", "request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:14440\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Versi", "payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:14440\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1989fdf4cdf959ec792b474b3981ad329ea2b2b1", "protocol_details": { "http_method": "POST", "http_path": "\/mcp", "request_line": "POST \/mcp HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 14440, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:14440\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent", "attack_vector": "http smuggling probe \u00b7 via HTTP:14440 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp", "target_port_label": "14440 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne \/24 (31.14.254.0\/24)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 63, "correlation_boost": 10 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 14440, "protocol_emulated": null, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "http_method": "POST", "http_path": "\/mcp", "request_line": "POST \/mcp HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 14440, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:14440 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp", "evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:14440\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent", "target_port_label": "14440 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 5 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (31.14.254.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "14440" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "31.14.254.0\/24", "coordinated_ip_count": 4, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3" ] }
16/06/2026 19:46:48 UTC	TCP	7547 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:7547 · (tentative d'exploit) · → /favicon.ico	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0001 TA0001 TA0002 Protocole GET /favicon.ico UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7547 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 50% Confiance classification 60% Corrélation +10 Risque capteur Moyen · 56 Confiance : Confiance 50 % — 4 tag(s) WAF Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:7547 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) A Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:7547 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "89d87453121897c0b4544fa397f8c826335c2714", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 184, "payload_entropy": 5.197840762032827, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 7547, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.6, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 56, "tag_count": 4, "anomaly_count": 0, "campaign_key": "cd19852343b113f1a64c1600d91f2a473eadf158", "event_fingerprint": "b4e4abc50c9fded2bbd2805f71d83bf1117fd7c8", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence": 0.6, "classification_confidence": 0.6, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 56, "correlation_boost": 10 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "7c6a41aaf3a7924ee6dff921619d7108", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 7547, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:7547\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nA", "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:7547\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:7547\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nA", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:7547\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:7547\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nA", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3d7e706c80503eff5b36d27029a0cde7b1ed52a9", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 7547, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:7547\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nA", "attack_vector": "lfi path traversal \u00b7 via HTTP:7547 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/favicon.ico", "target_port_label": "7547 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 60 % \u2014 via HTTP \u2014 campagne \/24 (31.14.254.0\/24)", "confidence_pct": 60, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 56, "correlation_boost": 10 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7547, "protocol_emulated": null, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 7547, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:7547 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:7547\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nA", "target_port_label": "7547 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 60 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 4 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (31.14.254.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7547" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "31.14.254.0\/24", "coordinated_ip_count": 4, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ] }
16/06/2026 12:15:38 UTC	TCP	1434 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:1434 · (tentative d'exploit) · → /mcp	Élevée	Moyen · 61
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole POST /mcp UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 34 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950383:rce-14 950406:ssrf-3 Cible HTTP POST /mcp TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 1434 Chemin / cible /mcp Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 61 Confiance : Confiance 95 % — Motif catalogue confirmé · 5 tag(s) WAF Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL LFI Double-dot bypass Ligne de requête `POST /mcp HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 rce-14 ssrf-3 nosqli-3 Payload (extrait) POST /mcp HTTP/1.1 Host: 62.3.50.33:1434 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content- Requête brute (extrait) POST /mcp HTTP/1.1 Host: 62.3.50.33:1434 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Length: 151 Accept: application/json, text/event-stream Connection: close Content-Type: application/json Mcp-Protocol-Versio Meta JSON brut { "http_header_count": 8, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "20f633e7cff478c2585f58298d013520fa99a95f", "http_target_hash": "b6dd5207698ea0722ea3c46de82524f56e66f110", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 447, "payload_entropy": 5.209698986495138, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 1434, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 61, "tag_count": 5, "anomaly_count": 0, "campaign_key": "52724088c26dfafcef26f2f24db76fc9a9e559ee", "event_fingerprint": "da6ed235aec5ede827a34b2b0a96a81b5e187eb7", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842", "pat-0103" ], "matched_pattern_names": [ "CRS 921130 duplicate CL", "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0842", "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 61 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "eb42e309c584149734ad7e87ec256d81", "path_pattern_hash": "88fe637beab867e285c088d60d6cc3b3" }, "target_context": { "dst_port": 1434, "service": "http", "service_name": "http", "risk_score": 61 }, "payload_preview": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:1434\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-", "method": "POST", "path": "\/mcp", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3" ], "request_line": "POST \/mcp HTTP\/1.1", "request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:1434\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Versio", "payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:1434\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-", "evidence": { "method": "POST", "path": "\/mcp", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3" ], "request_line": "POST \/mcp HTTP\/1.1", "request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:1434\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Versio", "payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:1434\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "142140d52610766d332d452c517adfc005bcbf34", "protocol_details": { "http_method": "POST", "http_path": "\/mcp", "request_line": "POST \/mcp HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 1434, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:1434\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-", "attack_vector": "http smuggling probe \u00b7 via HTTP:1434 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp", "target_port_label": "1434 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP", "confidence_pct": 95, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 61 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 61, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 1434, "protocol_emulated": null, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "POST", "http_path": "\/mcp", "request_line": "POST \/mcp HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 1434, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:1434 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp", "evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:1434\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-", "target_port_label": "1434 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "1434" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3" ] }
15/06/2026 22:09:25 UTC	TCP	6037 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:6037 · (tentative d'exploit)	Élevée	Moyen · 58
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 30 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 6037 Chemin / cible / Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 69% Corrélation +10 Risque capteur Moyen · 58 Confiance : Confiance 59 % — 5 tag(s) WAF Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:6037 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:6037 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "1b51f9b0d4f33d60569d63086dc95c3dc65bbf1d", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 173, "payload_entropy": 5.187661377526253, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 6037, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.4, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 58, "tag_count": 5, "anomaly_count": 0, "campaign_key": "13368dafeded4faad048156ab6c2ecbeac46f009", "event_fingerprint": "77dc049fa1f4332a741787dc3bba3aefbaea6dcc", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.69, "classification_confidence": 0.69, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 58, "correlation_boost": 10 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "1fdbb0daab9e819cf0aef1df7379e790", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 6037, "service": "http", "service_name": "http", "risk_score": 58 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6037\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6037\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6037\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6037\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6037\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "31bae5f8a76b89813b3c1741f3a571b21c5065ef", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 6037, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6037\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "attack_vector": "lfi path traversal \u00b7 via HTTP:6037 \u00b7 (tentative d'exploit)", "target_port_label": "6037 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via HTTP \u2014 campagne \/24 (31.14.254.0\/24)", "confidence_pct": 69, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 58, "correlation_boost": 10 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 58, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 6037, "protocol_emulated": null, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 6037, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:6037 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6037\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "target_port_label": "6037 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF", "confidence_factors_fr": "Confiance 69 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 5 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (31.14.254.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "6037" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "31.14.254.0\/24", "coordinated_ip_count": 8, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
15/06/2026 21:45:37 UTC	TCP	6013 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:6013 · (tentative d'exploit)	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole POST / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 37 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950383:rce-14 950406:ssrf-3 Cible HTTP POST / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 6013 Chemin / cible / Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 64 Confiance : Confiance 95 % — Motif catalogue confirmé · 6 tag(s) WAF Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL LFI Double-dot bypass Ligne de requête `POST / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 rce-14 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) POST / HTTP/1.1 Host: 62.3.50.33:6013 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Len Requête brute (extrait) POST / HTTP/1.1 Host: 62.3.50.33:6013 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Length: 151 Accept: application/json, text/event-stream Connection: close Content-Type: application/json Mcp-Protocol-Version: Meta JSON brut { "http_header_count": 8, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "5f32159843381578687307dc95eb41b7260a9360", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 444, "payload_entropy": 5.1961693050859985, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 6013, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.9, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 64, "tag_count": 6, "anomaly_count": 0, "campaign_key": "e9ab0e4dd7f51ffb672aefd2a4e48eabed2bc716", "event_fingerprint": "264d9e544ecd5bb83f09790d88d0c8b79020931e", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842", "pat-0103" ], "matched_pattern_names": [ "CRS 921130 duplicate CL", "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0842", "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 64 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "ed56e093f92a3b84dcd7449bc5c816aa", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 6013, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:6013\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Len", "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:6013\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Version: ", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:6013\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Len", "evidence": { "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:6013\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Version: ", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:6013\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Len", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bd359ccc2b12565087975f1c1b6a05f3ccac2ceb", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 6013, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:6013\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Len", "attack_vector": "http smuggling probe \u00b7 via HTTP:6013 \u00b7 (tentative d'exploit)", "target_port_label": "6013 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP", "confidence_pct": 95, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 64 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 6013, "protocol_emulated": null, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 6013, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:6013 \u00b7 (tentative d'exploit)", "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:6013\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Len", "target_port_label": "6013 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 100 \u00b7 6 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "6013" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
15/06/2026 07:37:02 UTC	TCP	6016 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:6016 · (tentative d'exploit)	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 30 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 6016 Chemin / cible / Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Risque capteur Moyen · 55 Confiance : Confiance 59 % — 5 tag(s) WAF Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:6016 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:6016 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "9fbc3aac079161933c16937f5223cfaa43f7a041", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 173, "payload_entropy": 5.171737172311436, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 6016, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 55, "tag_count": 5, "anomaly_count": 0, "campaign_key": "eaa094231a6866341c71e671907c92b7aa6c33c9", "event_fingerprint": "b08d78b232cebff80ed3f331069d596743bd36ed", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 55 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "7bf3e5eceda037efb03ad881d139276a", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 6016, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6016\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6016\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6016\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6016\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6016\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "93fb7163cfbc320c89e1a0268117d36b1cafd9b7", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 6016, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6016\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "attack_vector": "lfi path traversal \u00b7 via HTTP:6016 \u00b7 (tentative d'exploit)", "target_port_label": "6016 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP", "confidence_pct": 59, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 6016, "protocol_emulated": null, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 6016, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:6016 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6016\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "target_port_label": "6016 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF", "confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "6016" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
15/06/2026 01:47:49 UTC	TCP	6039 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:6039 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 30 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 6039 Chemin / cible / Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Risque capteur Moyen · 59 Confiance : Confiance 59 % — 5 tag(s) WAF Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:6039 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:6039 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "aedbb65440862019911990954789c4111aed5696", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 173, "payload_entropy": 5.187661377526253, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 6039, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.8, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3afa1a1440fdac6162729a77cd744c713d9672e9", "event_fingerprint": "e938719f5df85dfc0cb608fa87bec2d518b219c0", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "62eef1059a01d67a400d1f6461e50e05", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 6039, "service": "http", "service_name": "http", "risk_score": 59 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6039\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6039\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6039\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6039\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6039\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "85afb90257bc676a40dcd0bba51fbcce6f38931f", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 6039, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6039\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "attack_vector": "lfi path traversal \u00b7 via HTTP:6039 \u00b7 (tentative d'exploit)", "target_port_label": "6039 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP", "confidence_pct": 59, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 6039, "protocol_emulated": null, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 6039, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:6039 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6039\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "target_port_label": "6039 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF", "confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "6039" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
15/06/2026 00:52:59 UTC	TCP	6095 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:6095 · (tentative d'exploit) · → /sse	Élevée	Moyen · 57
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0001 TA0001 TA0002 Protocole GET /sse UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET /sse TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 6095 Chemin / cible /sse Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 69% Corrélation +10 Risque capteur Moyen · 57 Confiance : Confiance 59 % — 4 tag(s) WAF Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /sse HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /sse HTTP/1.1 Host: 62.3.50.33:6095 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: t Requête brute (extrait) GET /sse HTTP/1.1 Host: 62.3.50.33:6095 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: text/event-stream Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "7e3eb414de29ec2c35eb29803ca6ac38825eaceb", "http_target_hash": "a86b90c44ea188f3d86201cc14f47bf56d184d49", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 190, "payload_entropy": 5.159280279356831, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 6095, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 57, "tag_count": 4, "anomaly_count": 0, "campaign_key": "ab224c2bc3f3afdd03ef5711b97753be21f634ae", "event_fingerprint": "aa599e514b334f77612e6e6460253eec1ea25b56", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.69, "classification_confidence": 0.69, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 57, "correlation_boost": 10 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "e5165ff02c714ae8ff6d7cce6a36e0cd", "path_pattern_hash": "9c55a765acd7167a274de1a30a6df566" }, "target_context": { "dst_port": 6095, "service": "http", "service_name": "http", "risk_score": 57 }, "payload_preview": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:6095\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: t", "method": "GET", "path": "\/sse", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/sse HTTP\/1.1", "request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:6095\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:6095\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: t", "evidence": { "method": "GET", "path": "\/sse", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/sse HTTP\/1.1", "request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:6095\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:6095\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: t", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8f464c80807e3d4a83dbf4d881e135af2107d54f", "protocol_details": { "http_method": "GET", "http_path": "\/sse", "request_line": "GET \/sse HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 6095, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:6095\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: t", "attack_vector": "lfi path traversal \u00b7 via HTTP:6095 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse", "target_port_label": "6095 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via HTTP \u2014 campagne \/24 (31.14.254.0\/24)", "confidence_pct": 69, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 57, "correlation_boost": 10 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 57, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 6095, "protocol_emulated": null, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "http_method": "GET", "http_path": "\/sse", "request_line": "GET \/sse HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 6095, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:6095 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse", "evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:6095\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: t", "target_port_label": "6095 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 69 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 4 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (31.14.254.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "6095" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "31.14.254.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ] }
14/06/2026 16:33:38 UTC	TCP	8084 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:8084 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 30 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8084 Chemin / cible / Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Risque capteur Moyen · 59 Confiance : Confiance 59 % — 5 tag(s) WAF Protocole émulé 1 Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8084 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8084 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "52139ff216422f6e734a2f69155b92f0ec67e9f8", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 173, "payload_entropy": 5.206419253236291, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 8084, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 6, "anomaly_count": 0, "campaign_key": "761c25a01564335e38d3c3816500ea6752f13697", "event_fingerprint": "6a94da5cc42a606ecbfaf2222197c3b06162378c", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "8f99997de754ccb859dc3e7c6c47979f", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8084, "service": "http", "service_name": "http", "risk_score": 59 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8084\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8084\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8084\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8084\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8084\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "12db2bebb8145b9150ea5ffa21310df4b7b7760d", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 8084, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8084\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "attack_vector": "lfi path traversal \u00b7 via HTTP:8084 \u00b7 (tentative d'exploit)", "target_port_label": "8084 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP", "confidence_pct": 59, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8084, "protocol_emulated": true, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 8084, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:8084 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8084\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "target_port_label": "8084 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF", "confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8084" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_web_probe" ] }
14/06/2026 14:47:12 UTC	TCP	3690 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3690 · (tentative d'exploit)	Élevée	Moyen · 60
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole POST / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 37 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950383:rce-14 950406:ssrf-3 Cible HTTP POST / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3690 Chemin / cible / Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 60 Confiance : Confiance 95 % — Motif catalogue confirmé · 6 tag(s) WAF Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL LFI Double-dot bypass Ligne de requête `POST / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 rce-14 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) POST / HTTP/1.1 Host: 62.3.50.33:3690 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Len Requête brute (extrait) POST / HTTP/1.1 Host: 62.3.50.33:3690 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Length: 151 Accept: application/json, text/event-stream Connection: close Content-Type: application/json Mcp-Protocol-Version: Meta JSON brut { "http_header_count": 8, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "1368927111878282c0002b3bfd6f48bc987e1087", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 444, "payload_entropy": 5.205497479523107, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 3690, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.3, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 60, "tag_count": 6, "anomaly_count": 0, "campaign_key": "30df118bd2e6637bacf344117509045322bc5ad3", "event_fingerprint": "1e3b8061c35c70ca4533a58eef7a0dc81542cf53", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842", "pat-0103" ], "matched_pattern_names": [ "CRS 921130 duplicate CL", "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0842", "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 60 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "68505bbd153379ed1617bd7204a511d1", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 3690, "service": "http", "service_name": "http", "risk_score": 60 }, "payload_preview": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3690\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Len", "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3690\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Version: ", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3690\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Len", "evidence": { "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3690\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Version: ", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3690\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Len", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "62f48cbaa9485fc826816b45579b489af70514ca", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 3690, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3690\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Len", "attack_vector": "http smuggling probe \u00b7 via HTTP:3690 \u00b7 (tentative d'exploit)", "target_port_label": "3690 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP", "confidence_pct": 95, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 60 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 60, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3690, "protocol_emulated": null, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 3690, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3690 \u00b7 (tentative d'exploit)", "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3690\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Len", "target_port_label": "3690 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 100 \u00b7 6 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3690" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
07/06/2026 12:29:22 UTC	TCP	4667 · HTTP	http	Traversal LFI	Élevée	Moyen · 57
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 WAF 30 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4667 Chemin / cible / Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Risque capteur Moyen · 57 Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:4667 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:4667 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "9e3852b8d19cafbf99ef5af2b6e5dae61236c4d5", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 173, "payload_entropy": 5.209252923731511, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 4667, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 57, "tag_count": 5, "anomaly_count": 0, "campaign_key": "711c003a8ba8580838c5d6cece3266c80d45305a", "event_fingerprint": "98f71f1035f01af56ac9d6c0d9a0bf40358a9cfe", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 57 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "837955644e67ae1bb980d7e38d6b14e7", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 4667, "service": "http", "service_name": "http", "risk_score": 57 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4667\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4667\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4667\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4667\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4667\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7f07138984e02663ab348b90d3d28f97d1335b13", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence_pct": 59, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 57 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 57, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4667, "protocol_emulated": null, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4667" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
07/06/2026 05:12:13 UTC	TCP	21724 · HTTP	http	Traversal LFI	Élevée	Moyen · 58
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 21724 Chemin / cible /favicon.ico Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:21724 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:21724 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "dc8d2bb1ac990ef4afa5ffcfc8942e499b834246", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 185, "payload_entropy": 5.2006905837688135, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 21724, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 58, "tag_count": 4, "anomaly_count": 0, "campaign_key": "ec6a829abc488237457dc120575aa6c92ad67870", "event_fingerprint": "6e2d80b477f86109818688bf2aeb1f54a1c4c17b", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "fc2089b3680901fe8aba0a65ae602648", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 21724, "service": "http", "service_name": "http", "risk_score": 58 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:21724\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:21724\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:21724\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:21724\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:21724\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ddff15cde3de357a1671df1d405ad906e0248403", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "21724" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploit_attempt", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ] }
06/06/2026 22:08:23 UTC	TCP	8802 · HTTP	http	Traversal LFI	Élevée	Moyen · 59
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 30 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8802 Chemin / cible / Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8802 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8802 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "0f23efe7bb5ebfd00b6c43de167a4d865af317f1", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 173, "payload_entropy": 5.194858559594672, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 8802, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.4, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "eb7e72b3ea6a4e8fdff1bfe241b313113757d5e3", "event_fingerprint": "7f21e6c7e8015ea5e5f0ca2d4746ac6db36899d3", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "761310ff6407bc8e9374100a8b5e45af", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8802, "service": "http", "service_name": "http", "risk_score": 59 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8802\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8802\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8802\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8802\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8802\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a254622a5696e6c2be3162ecfea301f895cc5163", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8802" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploit_attempt", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
06/06/2026 02:54:36 UTC	TCP	13459	http	Traversal LFI	Élevée	Moyen · 55
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 13459 Chemin / cible /favicon.ico Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:13459 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:13459 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "2cec6a82a6f2d7d039d55d93860fa267734f45f9", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 185, "payload_entropy": 5.19396024594267, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 13459, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.2, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 55, "tag_count": 4, "anomaly_count": 0, "campaign_key": "0933e83fa43fbe711fec79b9c9325946682425d9", "event_fingerprint": "88715d8cf18886b6e02cc54f6587075716e0657f", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "classification_parent": "path_traversal", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "087a96cf67f08dc6691c01ac8872c161", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 13459, "service": "http" }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:13459\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:13459\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:13459\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:13459\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:13459\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "42ce56b36b2806cb09c3842bc2acf47f85bf2ad2", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ] }
06/06/2026 02:17:33 UTC	TCP	10806	http	Traversal LFI	Élevée	Moyen · 57
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10806 Chemin / cible /favicon.ico Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:10806 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:10806 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "6828f428110462daad36aa53cfcaf5039be89b68", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 185, "payload_entropy": 5.178529148795247, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 10806, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.3, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 57, "tag_count": 4, "anomaly_count": 0, "campaign_key": "932bb0021fa2a7acf4d56a278cf1d10c25b073b4", "event_fingerprint": "cd68c076448b64915a4929f259e92ac9ed687444", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "classification_parent": "path_traversal", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "1a318744ad4568f1bead9782e64e4249", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 10806, "service": "http" }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:10806\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:10806\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:10806\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:10806\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:10806\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ea6e747ea2c0799632045e71aafc6e0087342a76", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ] }
06/06/2026 02:16:45 UTC	TCP	25192	http	Traversal LFI	Élevée	Moyen · 58
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 30 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 25192 Chemin / cible / Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:25192 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:25192 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "9c6079723f5847e718b527586d4cfd9091a453ea", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 174, "payload_entropy": 5.195874946563656, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 25192, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 58, "tag_count": 5, "anomaly_count": 0, "campaign_key": "571da47e94f00f4283356f305d912d693de4f938", "event_fingerprint": "4a025435025ccbc8c9f7d594f1cf25585b0ff021", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "classification_parent": "path_traversal", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "ad906fbbce0f97ab72b45ce6e37498d8", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 25192, "service": "http" }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:25192\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:25192\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:25192\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:25192\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:25192\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8156f08e6b4481c1d7846769e0ecb7b218df8e4f", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "behavior_alert_count": 2, "behavior_priority": 84 }
06/06/2026 01:50:41 UTC	TCP	20655	http	Traversal LFI	Élevée	Moyen · 56
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 30 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20655 Chemin / cible / Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:20655 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:20655 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "d0b4963773c3b35032169b7ea1cafb6ca2760770", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 174, "payload_entropy": 5.181563308657489, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 20655, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.2, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 56, "tag_count": 5, "anomaly_count": 0, "campaign_key": "204a6f080648168c6fd99e83cea2ff54def38083", "event_fingerprint": "0a5496e6aea90e8eafc8e4d0bc1739157aa8b1dc", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "classification_parent": "path_traversal", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "055ebd551947d5a1a0f2167845094f4e", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 20655, "service": "http" }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20655\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20655\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20655\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20655\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20655\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0567572666d738574bf2b969cc9b88a9bc324c68", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
06/06/2026 01:08:34 UTC	TCP	6056	http	Traversal LFI	Élevée	Moyen · 56
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 6056 Chemin / cible /favicon.ico Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:6056 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) A Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:6056 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "fd6546e142a435e10fa1a3bef01fdfe085f96da0", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 184, "payload_entropy": 5.1652320663806535, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 6056, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.2, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 56, "tag_count": 4, "anomaly_count": 0, "campaign_key": "1d9071130a21dbf961737ef5cec8711e48a745e3", "event_fingerprint": "5d6a6f08d303d3c80bfb670da06a6fdd40b05c23", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "classification_parent": "path_traversal", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "d64df8bb7ea148dbb3a124abbfe31a3d", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 6056, "service": "http" }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:6056\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nA", "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:6056\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:6056\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nA", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:6056\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:6056\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nA", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "31748897ee7326b0be40c11325d42bd7a016df4c", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ] }
06/06/2026 00:27:48 UTC	TCP	4511	http	Traversal LFI	Élevée	Moyen · 57
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4511 Chemin / cible /favicon.ico Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:4511 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) A Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:4511 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "9419ee286a1a95aed83c53bcfc12675f0971a299", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 184, "payload_entropy": 5.171456235009603, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 4511, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 57, "tag_count": 4, "anomaly_count": 0, "campaign_key": "49067a7ef6ebb737eba3d39add6973b300a013da", "event_fingerprint": "ad61bc1ff05dcae4106bbe88061a092c7e0c609d", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "classification_parent": "path_traversal", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "56174ae81b66d117adc6bf87f3338a22", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 4511, "service": "http" }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:4511\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nA", "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:4511\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:4511\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nA", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:4511\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:4511\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nA", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5d7cdc0135d8268be2511a8556f10dae88a0fa5c", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ] }
05/06/2026 23:18:03 UTC	TCP	1194	openvpn	openvpn probe	Élevée	Faible · 19
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_openvpn_probe openvpn_emulated tls_clienthello wireguard_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 1194 Chemin / cible — Pourquoi cette classification : Type « openvpn_probe » (signaux protocolaires) · confiance 66% Confiance classification 66% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��zF��c��غh4 �J&6�{�.�� \|:'P�Z�/ʶ�C��U�Gs��ѩ�3�F�+�/̨̩�,�0� � ��/5�'�#̪��gk3 Requête brute (extrait) ��zF��c��غh4 �J&6�{�.�� \|:'P�Z�/ʶ�C��U�Gs��ѩ�3�F�+�/̨̩�,�0� � ��/5�'�#̪��gk39<� �� # http/1.1" 3ki �_�Dc��\G�:� ��@ Meta JSON brut { "protocol_emulated": true, "emulator_response": "380000000000000000", "emulator_response_len": 9, "bytes_in": 672, "payload_entropy": 7.095987103332974, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "openvpn", "app_proto": "openvpn", "asn": 25369, "country": "GB", "dst_port": 1194, "risk_waf": 8, "risk_classification": 46, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4, "risk_breakdown": { "waf": 8, "classification": 46, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 19, "tag_count": 4, "anomaly_count": 0, "campaign_key": "b231c69b279cda1b522242a58f7dc959ad14f887", "event_fingerprint": "3a7ecaf9104d633c1b2b6cfa11ec7d30d1b69370", "classification_reason": "Type \u00ab openvpn_probe \u00bb (signaux protocolaires) \u00b7 confiance 66%", "confidence": 0.66, "classification_confidence": 0.66, "precision_score": 73, "precision_signals": [ "INT-openvpn_pkt", "INT-upstream" ], "kb_rule_ids": [ "INT-openvpn_pkt", "INT-upstream" ], "matched_patterns": [ "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 66, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "bba4a3fe4787affdbdae334adb31c12f", "path_pattern_hash": "6c07e36460e62c833d0e82829ad833da" }, "target_context": { "dst_port": 1194, "service": "openvpn" }, "payload_preview": "\u0016\u0003\u0001\u0002\ufffd\u0001\u0000\u0002\ufffd\u0003\u0003\ufffd\u0006\ufffd\ufffdzF\ufffd\ufffdc\ufffd\ufffd\ufffd\u063ah4\b\t\ufffd\u001cJ&6\ufffd\u0003{\ufffd.\ufffd\ufffd\u0004 \ufffd\ufffd\|:'P\ufffd\u0010Z\ufffd\/\u02b6\ufffdC\ufffd\ufffd\ufffd\ufffdU\u0000\ufffdG\u001es\ufffd\ufffd\u0469\ufffd3\ufffd\u0000F\u0013\u0001\u0013\u0003\u0013\u0002\ufffd+\ufffd\/\u0329\u0328\ufffd,\ufffd0\ufffd\n\ufffd\t\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd'\ufffd#\u032a\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003", "request_sample": "\u0016\u0003\u0001\u0002\ufffd\u0001\u0000\u0002\ufffd\u0003\u0003\ufffd\u0006\ufffd\ufffdzF\ufffd\ufffdc\ufffd\ufffd\ufffd\u063ah4\b\t\ufffd\u001cJ&6\ufffd\u0003{\ufffd.\ufffd\ufffd\u0004 \ufffd\ufffd\|:'P\ufffd\u0010Z\ufffd\/\u02b6\ufffdC\ufffd\ufffd\ufffd\ufffdU\u0000\ufffdG\u001es\ufffd\ufffd\u0469\ufffd3\ufffd\u0000F\u0013\u0001\u0013\u0003\u0013\u0002\ufffd+\ufffd\/\u0329\u0328\ufffd,\ufffd0\ufffd\n\ufffd\t\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd'\ufffd#\u032a\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000<\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0005\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\u0014\u0001\u0000\u0002\b\u0000\u0017\u0000\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\n\u0000\u000e\u0000\f\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0001\u0000\u0001\u0001\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\u0000\u0000\u0010\u0000\u000b\u0000\t\bhttp\/1.1\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\"\u0000\n\u0000\b\u0004\u0003\u0005\u0003\u0006\u0003\u0002\u0003\u00003\u0000k\u0000i\u0000\u001d\u0000 \ufffd_\ufffdDc\ufffd\ufffd\\G\ufffd:\u0014\ufffd\t\ufffd\ufffd@\u000b", "payload_snippet": "\u0016\u0003\u0001\u0002\ufffd\u0001\u0000\u0002\ufffd\u0003\u0003\ufffd\u0006\ufffd\ufffdzF\ufffd\ufffdc\ufffd\ufffd\ufffd\u063ah4\b\t\ufffd\u001cJ&6\ufffd\u0003{\ufffd.\ufffd\ufffd\u0004 \ufffd\ufffd\|:'P\ufffd\u0010Z\ufffd\/\u02b6\ufffdC\ufffd\ufffd\ufffd\ufffdU\u0000\ufffdG\u001es\ufffd\ufffd\u0469\ufffd3\ufffd\u0000F\u0013\u0001\u0013\u0003\u0013\u0002\ufffd+\ufffd\/\u0329\u0328\ufffd,\ufffd0\ufffd\n\ufffd\t\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd'\ufffd#\u032a\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003", "evidence": { "request_sample": "\u0016\u0003\u0001\u0002\ufffd\u0001\u0000\u0002\ufffd\u0003\u0003\ufffd\u0006\ufffd\ufffdzF\ufffd\ufffdc\ufffd\ufffd\ufffd\u063ah4\b\t\ufffd\u001cJ&6\ufffd\u0003{\ufffd.\ufffd\ufffd\u0004 \ufffd\ufffd\|:'P\ufffd\u0010Z\ufffd\/\u02b6\ufffdC\ufffd\ufffd\ufffd\ufffdU\u0000\ufffdG\u001es\ufffd\ufffd\u0469\ufffd3\ufffd\u0000F\u0013\u0001\u0013\u0003\u0013\u0002\ufffd+\ufffd\/\u0329\u0328\ufffd,\ufffd0\ufffd\n\ufffd\t\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd'\ufffd#\u032a\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000<\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0005\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\u0014\u0001\u0000\u0002\b\u0000\u0017\u0000\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\n\u0000\u000e\u0000\f\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0001\u0000\u0001\u0001\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\u0000\u0000\u0010\u0000\u000b\u0000\t\bhttp\/1.1\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\"\u0000\n\u0000\b\u0004\u0003\u0005\u0003\u0006\u0003\u0002\u0003\u00003\u0000k\u0000i\u0000\u001d\u0000 \ufffd_\ufffdDc\ufffd\ufffd\\G\ufffd:\u0014\ufffd\t\ufffd\ufffd@\u000b", "payload_snippet": "\u0016\u0003\u0001\u0002\ufffd\u0001\u0000\u0002\ufffd\u0003\u0003\ufffd\u0006\ufffd\ufffdzF\ufffd\ufffdc\ufffd\ufffd\ufffd\u063ah4\b\t\ufffd\u001cJ&6\ufffd\u0003{\ufffd.\ufffd\ufffd\u0004 \ufffd\ufffd\|:'P\ufffd\u0010Z\ufffd\/\u02b6\ufffdC\ufffd\ufffd\ufffd\ufffdU\u0000\ufffdG\u001es\ufffd\ufffd\u0469\ufffd3\ufffd\u0000F\u0013\u0001\u0013\u0003\u0013\u0002\ufffd+\ufffd\/\u0329\u0328\ufffd,\ufffd0\ufffd\n\ufffd\t\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd'\ufffd#\u032a\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003", "classification_reason": "Type \u00ab openvpn_probe \u00bb (signaux protocolaires) \u00b7 confiance 66%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "network_service_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3e27c240b863be1e541b37d3aa09c7d656b14850", "ban_policy": "advisory_monitor", "tags_list": [ "net_openvpn_probe", "openvpn_emulated", "tls_clienthello", "wireguard_probe" ] }
05/06/2026 21:00:16 UTC	TCP	19223	http	Traversal LFI	Élevée	Moyen · 55
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 19223 Chemin / cible /favicon.ico Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:19223 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:19223 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "b3c59bb46c1e5f53ab035c2924c145e0de85d1e6", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 185, "payload_entropy": 5.18314943513186, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 19223, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.9, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 55, "tag_count": 4, "anomaly_count": 0, "campaign_key": "725d4e4be316af56b8bf5c76896895d994674d3b", "event_fingerprint": "d7f5a05ef4caf9f6f6a930a7848fd77c0ea65603", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "classification_parent": "path_traversal", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "05a260173ac17ff126f106f0796f79eb", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 19223, "service": "http" }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:19223\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:19223\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:19223\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:19223\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:19223\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e3207d879e446059732d86674c972495ed403313", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "behavior_alert_count": 1, "behavior_priority": 72 }
05/06/2026 20:31:15 UTC	TCP	28451	http	Traversal LFI	Élevée	Moyen · 58
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 30 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 28451 Chemin / cible / Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:28451 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:28451 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "c5e1df9e31875f1fb57267448fa2ed1cfa375a59", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 174, "payload_entropy": 5.211707633357699, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 28451, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 58, "tag_count": 5, "anomaly_count": 0, "campaign_key": "805a211a27b98f1141d510e7482a61c76444136c", "event_fingerprint": "a7a22323b4c8a96951568f31b6323e847579ddd6", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "classification_parent": "path_traversal", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "efc8b58a8a8ab3bf1d9a93c05246b1ce", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 28451, "service": "http" }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:28451\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:28451\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:28451\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:28451\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:28451\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "03f557d1e66b881b015fce4d7ede90a700b08234", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "behavior_alert_count": 1, "behavior_priority": 72 }
05/06/2026 19:50:11 UTC	TCP	14190	http	Traversal LFI	Élevée	Moyen · 58
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 14190 Chemin / cible /favicon.ico Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:14190 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:14190 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "6715a42be62790b3800b873dc3f49c62931e705c", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 185, "payload_entropy": 5.189339959606058, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 14190, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 58, "tag_count": 4, "anomaly_count": 0, "campaign_key": "2cc21b765da7816d3fbf7c5f167be43ed8b58187", "event_fingerprint": "8ff7c4cdd4adcd229c31d37344098733d057f1c2", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "classification_parent": "path_traversal", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "892605c57aca9971ee293def7b7e46b4", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 14190, "service": "http" }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:14190\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:14190\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:14190\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:14190\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:14190\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3f16c88c01a5152196f90cb3d32ec4ccdc65b946", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ] }
05/06/2026 19:06:07 UTC	TCP	8888	http	Traversal LFI	Élevée	Moyen · 59
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 30 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8888 Chemin / cible / Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass HTTP alt 8888 probe Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8888 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8888 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "25a58e7d7f0ed40aadf0d51b038172ea9ccc8435", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 173, "payload_entropy": 5.190495048021473, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 8888, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 6, "anomaly_count": 0, "campaign_key": "9609c0485d6d92bd5943c1e9b23819759b50e6e2", "event_fingerprint": "baca1c5dd7aea1efc2dd36267eb7d2b826e6c71d", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103", "pat-0599" ], "matched_pattern_names": [ "LFI Double-dot bypass", "HTTP alt 8888 probe" ], "pattern_ids": [ "pat-0103", "pat-0599" ], "classification_parent": "path_traversal", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "dfe5b7060caead587cb1e11963c09bc8", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8888, "service": "http" }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8888\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8888\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8888\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8888\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8888\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2c4f017c98cec184e636a5a0fd30a93bf43530ec", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_web_probe" ] }
05/06/2026 17:32:41 UTC	TCP	24921	http	Traversal LFI	Élevée	Moyen · 59
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 30 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 24921 Chemin / cible / Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:24921 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:24921 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "44dd273acf38345ea4535bcfa52f5e191fea8c7f", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 174, "payload_entropy": 5.211707633357699, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 24921, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "719fd2bdf79961a86981773971d2634989ca6488", "event_fingerprint": "a44fa97fb8bc427b9e40c302dec488dccf6c0370", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "classification_parent": "path_traversal", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "ba550fb8c4f303755d031f689e852e13", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 24921, "service": "http" }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:24921\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:24921\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:24921\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:24921\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:24921\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6c794354c86b0ae33b494332e88b93caea4ffd8f", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
05/06/2026 13:08:18 UTC	TCP	6046	—	Sonde port	Faible	Faible · 14
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 6046 Chemin / cible — Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) l Meta JSON brut { "bytes_in": 12, "payload_entropy": 0.8166890883150209, "port_category": "registered", "org": "Hydra Communications Ltd", "service": null, "app_proto": null, "asn": 25369, "country": "GB", "dst_port": 6046, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 0.2, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0 }, "risk_score": 14, "tag_count": 0, "anomaly_count": 0, "campaign_key": "48d982e919490d7a893cdb5e7bcd7751d849c3cd", "event_fingerprint": "4cd2f31fbaf13bba63838ac72596c67c900fa531", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ad33d13d6bc3bd05c9957f130811a989", "path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d" }, "target_context": { "dst_port": 6046 }, "payload_preview": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "request_sample": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e2e6c6249892c2c463a382b2f1f863654b39fc25", "ban_policy": "advisory_monitor" }
05/06/2026 11:54:14 UTC	TCP	2049	nfs	Sonde NFS	Élevée	Faible · 29
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags http_get_probe mozi_pattern net_nfs_probe nfs_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2049 Chemin / cible — Pourquoi cette classification : Type « nfs_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) LFI Double-dot bypass User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:2049 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:2049 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "c74554210000000000000000", "emulator_response_len": 12, "bytes_in": 173, "payload_entropy": 5.206419253236291, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "nfs", "app_proto": "nfs", "asn": 25369, "country": "GB", "dst_port": 2049, "risk_waf": 8, "risk_classification": 52, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 2.9, "risk_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 25 }, "risk_score": 29, "tag_count": 7, "anomaly_count": 0, "campaign_key": "6be726669fdb6e7fc51a2ca8ba81cf376cfe2895", "event_fingerprint": "923118becffb962b98707ace1a35bf197f6f487b", "classification_reason": "Type \u00ab nfs_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "cc0dcf201a97dc27213539c55f32741f", "path_pattern_hash": "b4c17c2e08034efe3107b042afcaf38e" }, "target_context": { "dst_port": 2049, "service": "nfs" }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2049\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2049\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2049\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2049\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2049\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "classification_reason": "Type \u00ab nfs_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "56196113f92c370ed6dd4295be1f3af692a85007", "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe", "mozi_pattern", "net_nfs_probe", "nfs_emulated", "nfs_mount", "nfs_payload", "nfs_probe" ] }
05/06/2026 09:16:07 UTC	TCP	6000	—	Sonde port	Faible	Faible · 17
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 6000 Chemin / cible — Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) l Meta JSON brut { "bytes_in": 12, "payload_entropy": 0.8166890883150209, "port_category": "registered", "org": "Hydra Communications Ltd", "service": null, "app_proto": null, "asn": 25369, "country": "GB", "dst_port": 6000, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0 }, "risk_score": 17, "tag_count": 0, "anomaly_count": 0, "campaign_key": "5c8df6f4eabf9d7af3f3ecf6c7cf512e0b981324", "event_fingerprint": "ee4840953fa1cc900d65a98f0af258a8aa6cd646", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ad33d13d6bc3bd05c9957f130811a989", "path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d" }, "target_context": { "dst_port": 6000 }, "payload_preview": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "request_sample": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3f1dd0db410bf32fe11136bbd2649985b90af8fe", "ban_policy": "advisory_monitor" }
05/06/2026 07:58:59 UTC	TCP	8291	glassfish	glassfish probe	Élevée	Faible · 19
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags glassfish_emulated net_glassfish_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8291 Chemin / cible — Pourquoi cette classification : Type « glassfish_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 4, "payload_entropy": 0, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "glassfish", "app_proto": "glassfish", "asn": 25369, "country": "GB", "dst_port": 8291, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.9, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 19, "tag_count": 2, "anomaly_count": 0, "campaign_key": "acbd350c0250cc2fb135fb1564a5b102b5b9e8b0", "event_fingerprint": "a46f9985263cf5ed8abba1dd09854605de507628", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "df3f619804a92fdb4057192dc43dd748", "path_pattern_hash": "7e2de634fbbf7781a43ec5a3779029ad" }, "target_context": { "dst_port": 8291, "service": "glassfish" }, "payload_preview": "\u0000\u0000\u0000\u0000", "request_sample": "\u0000\u0000\u0000\u0000", "payload_snippet": "\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "\u0000\u0000\u0000\u0000", "payload_snippet": "\u0000\u0000\u0000\u0000", "classification_reason": "Type \u00ab glassfish_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab glassfish_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "network_service_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "988d14ccdd048b52acd50b75b9745f075a405731", "ban_policy": "advisory_monitor", "tags_list": [ "glassfish_emulated", "net_glassfish_probe" ] }
05/06/2026 07:05:24 UTC	TCP	88	http	Traversal LFI	Élevée	Moyen · 58
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 88 Chemin / cible /favicon.ico Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:88 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Acc Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:88 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "3f53fd38a0b70842554ee03ec3c54d18c411dc66", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 182, "payload_entropy": 5.171652814933386, "port_category": "well_known", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 88, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 58, "tag_count": 4, "anomaly_count": 0, "campaign_key": "1e208c2e19aec6c86fcea7fd5aea7794df8e9790", "event_fingerprint": "c356a2f735adb8c32fb05413726d85c3001c59fe", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "classification_parent": "path_traversal", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "a759cda27ded44b5b9ae60c57a24b0e2", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 88, "service": "http" }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:88\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAcc", "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:88\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:88\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAcc", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:88\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:88\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAcc", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8b1302e204c1633a02f06c72b67b6dc70351d48d", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ] }
05/06/2026 06:53:16 UTC	TCP	20547	—	Sonde port	Faible	Faible · 18
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 20547 Chemin / cible — Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �@G� Meta JSON brut { "bytes_in": 10, "payload_entropy": 2.8464393446710154, "port_category": "registered", "org": "Hydra Communications Ltd", "service": null, "app_proto": null, "asn": 25369, "country": "GB", "dst_port": 20547, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0 }, "risk_score": 18, "tag_count": 0, "anomaly_count": 0, "campaign_key": "74c521ba31ff58ce77da10b0efb98b36014a717e", "event_fingerprint": "efff661e4af1ef51500db9113dc5b5c7debab9bb", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "2cc5dd6ae6f17ae70282e9c9e6536e6e", "path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d" }, "target_context": { "dst_port": 20547 }, "payload_preview": "\ufffd\u0001\u0000\u000b@\u0002\u0000\u0000G\ufffd", "request_sample": "\ufffd\u0001\u0000\u000b@\u0002\u0000\u0000G\ufffd", "payload_snippet": "\ufffd\u0001\u0000\u000b@\u0002\u0000\u0000G\ufffd", "evidence": { "request_sample": "\ufffd\u0001\u0000\u000b@\u0002\u0000\u0000G\ufffd", "payload_snippet": "\ufffd\u0001\u0000\u000b@\u0002\u0000\u0000G\ufffd", "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "902bf77203fdac0df000b1ee9cd129df3ce1f5c7", "ban_policy": "advisory_monitor" }
05/06/2026 05:46:43 UTC	TCP	8888	http	Traversal LFI	Élevée	Moyen · 59
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 30 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8888 Chemin / cible / Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass HTTP alt 8888 probe Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8888 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8888 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "25a58e7d7f0ed40aadf0d51b038172ea9ccc8435", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 173, "payload_entropy": 5.190495048021473, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 8888, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 6, "anomaly_count": 0, "campaign_key": "9609c0485d6d92bd5943c1e9b23819759b50e6e2", "event_fingerprint": "baca1c5dd7aea1efc2dd36267eb7d2b826e6c71d", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103", "pat-0599" ], "matched_pattern_names": [ "LFI Double-dot bypass", "HTTP alt 8888 probe" ], "pattern_ids": [ "pat-0103", "pat-0599" ], "classification_parent": "path_traversal", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "dfe5b7060caead587cb1e11963c09bc8", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8888, "service": "http" }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8888\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8888\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8888\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8888\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8888\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2c4f017c98cec184e636a5a0fd30a93bf43530ec", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_web_probe" ], "behavior_alert_count": 1, "behavior_priority": 72 }
05/06/2026 03:59:42 UTC	TCP	25565	minecraft	minecraft probe	Élevée	Faible · 20
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags minecraft_emulated minecraft_status_ping net_minecraft_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 25565 Chemin / cible — Pourquoi cette classification : Type « minecraft_probe » (signaux protocolaires) · confiance 67% Confiance classification 67% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Minecraft varint handshake User-Agent — Règles WAF — Payload (extrait) / 62.3.50.33c� Meta JSON brut { "protocol_emulated": true, "emulator_response": "0000787b2276657273696f6e223a7b226e616d65223a22312e32302e34222c2270726f746f636f6c223a3736357d2c22706c6179657273223a7b226d6178223a32302c226f6e6c696e65223a337d2c226465736372697074696f6e223a7b2274657874223a22486f6e6579706f74204d696e656372616674227d7d", "emulator_response_len": 123, "bytes_in": 19, "payload_entropy": 3.536886723742167, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "minecraft", "app_proto": "minecraft", "asn": 25369, "country": "GB", "dst_port": 25565, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 20, "tag_count": 3, "anomaly_count": 0, "campaign_key": "0e6668b1b6d7978d30ff719e7065e179eb722676", "event_fingerprint": "693ecbb9a1e86d78b2b00f4d400ad992bafdc5d5", "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%", "confidence": 0.67, "classification_confidence": 0.67, "precision_score": 75, "precision_signals": [ "pat-0554", "INT-upstream" ], "kb_rule_ids": [ "pat-0554", "INT-upstream" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "risk_confidence_factor": 67, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "53328a59d45cb975370e8bcbbcb39928", "path_pattern_hash": "796c509ff0514fcb64ff9e5a1c4b51db" }, "target_context": { "dst_port": 25565, "service": "minecraft" }, "payload_preview": "\u0010\u0000\/\n62.3.50.33c\ufffd\u0001\u0001\u0000", "request_sample": "\u0010\u0000\/\n62.3.50.33c\ufffd\u0001\u0001\u0000", "payload_snippet": "\u0010\u0000\/\n62.3.50.33c\ufffd\u0001\u0001\u0000", "evidence": { "request_sample": "\u0010\u0000\/\n62.3.50.33c\ufffd\u0001\u0001\u0000", "payload_snippet": "\u0010\u0000\/\n62.3.50.33c\ufffd\u0001\u0001\u0000", "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "game_server_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b866b2f275ffc1a9a207c17ee5be2deacca175c8", "ban_policy": "advisory_monitor", "tags_list": [ "minecraft_emulated", "minecraft_status_ping", "net_minecraft_probe" ] }
03/06/2026 22:00:31 UTC	TCP	177	http	web attack	Élevée	Moyen · 63
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 30 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 177 Chemin / cible / Confiance classification 95% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:177 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "35def72dfb9b076fe79dbd3d4776154e9fb9664d", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 172, "payload_entropy": 5.185101076962122, "port_category": "well_known", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 177, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.3, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 63, "tag_count": 5, "anomaly_count": 0, "campaign_key": "137bd846f48a71df86f0d60491a273e3edfaeb19", "event_fingerprint": "21a9e4de8cc2456f3f306e15e1c600900c9ec7fc", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "014a9ad55658ef0358ea620bd0d539ae", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 177, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.95, "classification_confidence": 0.95, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:177\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\n", "event_signature": "7f7f9731beaba879bfa29ed2ebc0d38bc5398626", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
03/06/2026 20:43:27 UTC	TCP	6002	—	Sonde port	Faible	Faible · 13
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 6002 Chemin / cible — Confiance classification 55% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) l Meta JSON brut { "bytes_in": 12, "payload_entropy": 0.8166890883150209, "port_category": "registered", "org": "Hydra Communications Ltd", "service": null, "app_proto": null, "asn": 25369, "country": "GB", "dst_port": 6002, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0 }, "risk_score": 13, "tag_count": 0, "anomaly_count": 0, "campaign_key": "11ac35c540d2a1fbea8a9aaade70b6a3bf546260", "event_fingerprint": "717fd7c3a4fa50dcd66185e1ecc6cba0666112ad", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ad33d13d6bc3bd05c9957f130811a989", "path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d" }, "target_context": { "dst_port": 6002 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.55, "classification_confidence": 0.55, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "event_signature": "266cf76c2890f19c5494164d521abfed11ef0afc", "ban_policy": "advisory_monitor" }
02/06/2026 22:38:02 UTC	TCP	2525	—	Sonde port	Faible	Faible · 8
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
02/06/2026 22:38:02 UTC	TCP	2525	—	Sonde port	Faible	Faible · 8
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
01/06/2026 16:35:40 UTC	TCP	7687	—	Sonde port	Faible	Faible · 0
Étape — WAF — Recommandation — Tags — Cible HTTP — TLS SNI — Capteur paris-1
01/06/2026 01:38:06 UTC	TCP	2404	http	web attack	Élevée	Critique · 100
Étape — WAF 30 Recommandation — Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2404 Chemin / cible / Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "e45bafb5503424d1ab34239d9bf92a302acbd497", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 173, "payload_entropy": 5.194858559594672, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "tag_count": 5, "anomaly_count": 0, "risk_score": 100, "campaign_key": "2bfa3ad8485e97078e6c0ffd3c6075d131e5e29f", "event_fingerprint": "a9da795eeb22c4990ded22dd667f695f0152b684", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
01/06/2026 00:42:46 UTC	TCP	14430	http	web attack	Élevée	Critique · 100
Étape — WAF 30 Recommandation — Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 14430 Chemin / cible / Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "fe3445fe2a5d64ba7a6d0c87116cf7a3dc191ef5", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 174, "payload_entropy": 5.190240176498448, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "tag_count": 5, "anomaly_count": 0, "risk_score": 100, "campaign_key": "3161f06d443b799c61a1dd88de5f80099270cef6", "event_fingerprint": "4aed0701febabc4604cfa0e18d4a456b24a1c3b1", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
31/05/2026 22:19:26 UTC	TCP	2078	http	web attack	Élevée	Critique · 100
Étape — WAF 30 Recommandation — Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2078 Chemin / cible / Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "abf0fd2b1a4bfa05c8856c80f197c8bd849ab508", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 173, "payload_entropy": 5.206419253236291, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "tag_count": 5, "anomaly_count": 0, "risk_score": 100, "campaign_key": "c1eb4c2f46cff45c76a7d65c4554d608d10bc1ac", "event_fingerprint": "335922dd541ea64c9ff274ca66e9eab57f52d554", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
31/05/2026 21:11:22 UTC	TCP	23002	http	web attack	Élevée	Critique · 100
Étape — WAF 30 Recommandation — Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 23002 Chemin / cible / Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "e7ac7ecd794e71914a63e2cbdca798fceb5afd12", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 144, "payload_entropy": 5.097605644356062, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "tag_count": 5, "anomaly_count": 0, "risk_score": 100, "campaign_key": "e875d166bba954810b0f75954be4b3db742d47a7", "event_fingerprint": "bbf7145c7f94fd22e1fb72358c1a2a300377cfe5", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
31/05/2026 20:40:47 UTC	TCP	26900	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
31/05/2026 00:02:28 UTC	TCP	2727	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1

31.14.254.86

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence