Renseignement sur les menaces

Indonésie

34.101.45.12

FAI Google LLC Première vue 14/06/2026 11:30 UTC Dernière vue 14/06/2026 11:30 UTC Risque Moyen

Période analysée : 2026-05-19 → 2026-06-18

Activité suspecte — risque 59/100 (Moyen) — MITRE T1499 — confiance 100 % — via HTTPS

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Moyen · Risque max (7j) Moyen

Synthèse exécutive

Profil de menace

Score de risque 59/100 Moyen

Première observation 14/06/2026 11:30 UTC

Dernière observation 14/06/2026 11:30 UTC

Événements (période) 854

MITRE ATT&CK principal T1499 775 occurrences

Activité suspecte — risque 59/100 (Moyen) — MITRE T1499 — confiance 100 % — via HTTPS

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « http_flood » (signaux protocolaires) · confiance 100%

Confiance 100 % — Score WAF 8

Comparaison ASN / FAI

ASN 396982 · 34.101.32.0/19 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 854 événements sur la période pour cette IP.

147.185.132.203 Scan vulnérabilités 18/06/2026 01:59 UTC
147.185.132.149 Scanner web 18/06/2026 01:59 UTC
162.216.150.23 Sonde Stratum (mining) 18/06/2026 01:59 UTC
147.185.133.174 Scanner web 18/06/2026 01:57 UTC
198.235.24.113 ethereum probe 18/06/2026 01:55 UTC
147.185.132.18 Sonde port 5903/TCP 18/06/2026 01:54 UTC
35.203.211.143 Scanner web 18/06/2026 01:53 UTC
35.203.211.103 Scanner web 18/06/2026 01:53 UTC

Événements (filtres)

854

Première observation

14/06/2026 11:30 UTC

Dernière observation

14/06/2026 11:30 UTC

Dernière activité (filtres)

14/06/2026 11:30 UTC

Événements 7j

854

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Géolocalisation

Origine réseau déclarée

Indonésie unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Google LLC 0 Port 9443 postgres_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Tentative d'exploit

Chaîne d'attaque

Exploitation

Vecteur d'attaque

http flood · via HTTPS:9443 · (tentative d'exploit)

Détails protocole

Aperçu payload

GET /sendgrid-config.json HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebK

Port / service

9443 · HTTPS

Service émulé

HTTPS

Raison confiance

Confiance 100 % — 6 signal(aux) capteur

Technique MITRE

T1499

Persona capteur

mail.sensor-1.internal

Recommandation

Investiguer

Rôle capteur

Renseignement menaces

Signaux de précision

MITRE-T1499 Upstream

Confiance

100%

Famille de menace

ddos

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

854 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

854 événement(s) — page 1/18

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
14/06/2026 11:30:16 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /sendgrid.config.json HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWeb Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 6 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /sendgrid.config.json HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWeb Requête brute (extrait) GET /sendgrid.config.json HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connecti Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 269, "payload_entropy": 5.396072125377945, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 6, "anomaly_count": 0, "campaign_key": "fc3e37af13d7b5016a9d426e6d9b087d328253b0", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f170ecb2c34f5ec575ce43b563c7924f", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/sendgrid.config.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWeb", "request_sample": "GET \/sendgrid.config.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti", "payload_snippet": "GET \/sendgrid.config.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWeb", "evidence": { "request_sample": "GET \/sendgrid.config.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti", "payload_snippet": "GET \/sendgrid.config.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWeb", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1e4db1333059fa3d03346f9ea7370b9956a864d9", "protocol_details": { "payload_preview": "GET \/sendgrid.config.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWeb", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/sendgrid.config.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWeb", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/sendgrid.config.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWeb", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/sendgrid.config.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWeb", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:16 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /mail/sendgrid.py HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/6 Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /mail/sendgrid.py HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/6 Requête brute (extrait) GET /mail/sendgrid.py HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.2 Safari/605.1.15 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 255, "payload_entropy": 5.391762746745234, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "8ab755eaa142fbb1b82749c56154af85", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/mail\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/6", "request_sample": "GET \/mail\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.2 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/mail\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/6", "evidence": { "request_sample": "GET \/mail\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.2 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/mail\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/6", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a00d107746813fb2536cceb7784564ddc302bdcc", "protocol_details": { "payload_preview": "GET \/mail\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/6", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/mail\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/6", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/mail\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/6", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/mail\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/6", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:16 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /email/sendgrid.py HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, lik Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /email/sendgrid.py HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, lik Requête brute (extrait) GET /email/sendgrid.py HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/65.0.3325.181 Chrome/65.0.3325.181 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connect Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 270, "payload_entropy": 5.4244686055237725, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "03adfd47b24f4627301eb4f91562a2a3", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/email\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, lik", "request_sample": "GET \/email\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/65.0.3325.181 Chrome\/65.0.3325.181 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnect", "payload_snippet": "GET \/email\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, lik", "evidence": { "request_sample": "GET \/email\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/65.0.3325.181 Chrome\/65.0.3325.181 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnect", "payload_snippet": "GET \/email\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, lik", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "663dca15debd448908c54c8df2df931a07928949", "protocol_details": { "payload_preview": "GET \/email\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, lik", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/email\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, lik", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/email\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, lik", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/email\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, lik", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:16 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /sendgrid.json HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537. Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /sendgrid.json HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537. Requête brute (extrait) GET /sendgrid.json HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 254, "payload_entropy": 5.430263991642739, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b14325ecf20b33c51eeeff6b686df82a", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit\/537.", "request_sample": "GET \/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit\/537.", "evidence": { "request_sample": "GET \/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit\/537.", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a2d48f2aa992d5c05df96c26bfb25017624a08d8", "protocol_details": { "payload_preview": "GET \/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit\/537.", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit\/537.", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit\/537.", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit\/537.", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:16 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /sendgrid.yaml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 9; Moto Z3 Play) AppleWebKit/537.36 Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /sendgrid.yaml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 9; Moto Z3 Play) AppleWebKit/537.36 Requête brute (extrait) GET /sendgrid.yaml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 9; Moto Z3 Play) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 258, "payload_entropy": 5.423799624775903, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "e4adbdb36741a1f09480bb1ee1b27768", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/sendgrid.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Moto Z3 Play) AppleWebKit\/537.36 ", "request_sample": "GET \/sendgrid.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Moto Z3 Play) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/sendgrid.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Moto Z3 Play) AppleWebKit\/537.36", "evidence": { "request_sample": "GET \/sendgrid.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Moto Z3 Play) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/sendgrid.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Moto Z3 Play) AppleWebKit\/537.36", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "879a32809e800f8722234ab0d059cf2d552a54eb", "protocol_details": { "payload_preview": "GET \/sendgrid.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Moto Z3 Play) AppleWebKit\/537.36", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/sendgrid.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Moto Z3 Play) AppleWebKit\/537.36", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/sendgrid.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Moto Z3 Play) AppleWebKit\/537.36", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/sendgrid.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Moto Z3 Play) AppleWebKit\/537.36", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:16 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /sendgrid.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /sendgrid.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML Requête brute (extrait) GET /sendgrid.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3178.0 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 243, "payload_entropy": 5.482440473181827, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d6632c38bcd13723b7f280ccdf079085", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML", "request_sample": "GET \/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3178.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML", "evidence": { "request_sample": "GET \/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3178.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a20c5650d74a82d2a5f40efdc4b2e7aa3d4c98e8", "protocol_details": { "payload_preview": "GET \/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:16 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /config/sendgrid.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (MeeGo; NokiaN9) AppleWebKit/534.13 (KHTML, li Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 6 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /config/sendgrid.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (MeeGo; NokiaN9) AppleWebKit/534.13 (KHTML, li Requête brute (extrait) GET /config/sendgrid.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (MeeGo; NokiaN9) AppleWebKit/534.13 (KHTML, like Gecko) NokiaBrowser/8.5.0 Mobile Safari/534.13 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 246, "payload_entropy": 5.377973218438614, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 6, "anomaly_count": 0, "campaign_key": "fc3e37af13d7b5016a9d426e6d9b087d328253b0", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "2a41546cd059fa3b44f30c4c7daba817", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/config\/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (MeeGo; NokiaN9) AppleWebKit\/534.13 (KHTML, li", "request_sample": "GET \/config\/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (MeeGo; NokiaN9) AppleWebKit\/534.13 (KHTML, like Gecko) NokiaBrowser\/8.5.0 Mobile Safari\/534.13\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (MeeGo; NokiaN9) AppleWebKit\/534.13 (KHTML, li", "evidence": { "request_sample": "GET \/config\/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (MeeGo; NokiaN9) AppleWebKit\/534.13 (KHTML, like Gecko) NokiaBrowser\/8.5.0 Mobile Safari\/534.13\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (MeeGo; NokiaN9) AppleWebKit\/534.13 (KHTML, li", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a942e0776506f15b273ecf3f4a131911e8838b22", "protocol_details": { "payload_preview": "GET \/config\/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (MeeGo; NokiaN9) AppleWebKit\/534.13 (KHTML, li", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/config\/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (MeeGo; NokiaN9) AppleWebKit\/534.13 (KHTML, li", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/config\/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (MeeGo; NokiaN9) AppleWebKit\/534.13 (KHTML, li", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/config\/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (MeeGo; NokiaN9) AppleWebKit\/534.13 (KHTML, li", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:16 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /config/sendgrid.php HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; U; Android 2.2; en-us; Sprint APA9292K Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 6 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /config/sendgrid.php HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; U; Android 2.2; en-us; Sprint APA9292K Requête brute (extrait) GET /config/sendgrid.php HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; U; Android 2.2; en-us; Sprint APA9292KT Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Accept-Charset: utf-8 Accept-Encoding: gz Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 281, "payload_entropy": 5.403972253622371, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 6, "anomaly_count": 0, "campaign_key": "fc3e37af13d7b5016a9d426e6d9b087d328253b0", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "55774e8e7f902ac020a786d4fe799d91", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/config\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint APA9292K", "request_sample": "GET \/config\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint APA9292KT Build\/FRF91) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/533.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gz", "payload_snippet": "GET \/config\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint APA9292K", "evidence": { "request_sample": "GET \/config\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint APA9292KT Build\/FRF91) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/533.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gz", "payload_snippet": "GET \/config\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint APA9292K", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7855ddd7459f854198326cc8428a28a24954b795", "protocol_details": { "payload_preview": "GET \/config\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint APA9292K", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/config\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint APA9292K", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/config\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint APA9292K", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/config\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint APA9292K", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:16 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /mailer/sendgrid.php HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G973U) AppleWebKit/537.3 Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /mailer/sendgrid.php HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G973U) AppleWebKit/537.3 Requête brute (extrait) GET /mailer/sendgrid.php HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G973U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 260, "payload_entropy": 5.423139858141907, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b6baf918174bd1d8ca4a079be3e03293", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/mailer\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973U) AppleWebKit\/537.3", "request_sample": "GET \/mailer\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close", "payload_snippet": "GET \/mailer\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973U) AppleWebKit\/537.3", "evidence": { "request_sample": "GET \/mailer\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close", "payload_snippet": "GET \/mailer\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973U) AppleWebKit\/537.3", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b96c8ae9be54180215b26ae270f2f0cbcd4fd65c", "protocol_details": { "payload_preview": "GET \/mailer\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973U) AppleWebKit\/537.3", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/mailer\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973U) AppleWebKit\/537.3", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/mailer\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973U) AppleWebKit\/537.3", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/mailer\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973U) AppleWebKit\/537.3", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:16 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /config/sendgrid.json HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (compatible; Konqueror/4.1; DragonFly) KHTML/ Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 6 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /config/sendgrid.json HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (compatible; Konqueror/4.1; DragonFly) KHTML/ Requête brute (extrait) GET /config/sendgrid.json HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (compatible; Konqueror/4.1; DragonFly) KHTML/4.1.4 (like Gecko) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 215, "payload_entropy": 5.323684671157448, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 6, "anomaly_count": 0, "campaign_key": "fc3e37af13d7b5016a9d426e6d9b087d328253b0", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "328d172c6aee6caba51c5948dd1b9764", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/config\/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.1; DragonFly) KHTML\/", "request_sample": "GET \/config\/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.1; DragonFly) KHTML\/4.1.4 (like Gecko)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.1; DragonFly) KHTML\/", "evidence": { "request_sample": "GET \/config\/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.1; DragonFly) KHTML\/4.1.4 (like Gecko)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.1; DragonFly) KHTML\/", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a01246cf5bd32fc62132c45419684e412d31fd36", "protocol_details": { "payload_preview": "GET \/config\/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.1; DragonFly) KHTML\/", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/config\/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.1; DragonFly) KHTML\/", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/config\/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.1; DragonFly) KHTML\/", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/config\/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.1; DragonFly) KHTML\/", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:16 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /sendgrid.php HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.3 Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /sendgrid.php HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.3 Requête brute (extrait) GET /sendgrid.php HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 252, "payload_entropy": 5.4121218097150745, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "6767ce2affa54a6e8ef61e19c2f51962", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.3", "request_sample": "GET \/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.3", "evidence": { "request_sample": "GET \/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.3", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a67b0e699e8647d89f49de9a3f86d12d4c602182", "protocol_details": { "payload_preview": "GET \/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.3", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.3", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.3", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.3", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:16 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /sendgrid-config.json HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebK Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 6 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /sendgrid-config.json HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebK Requête brute (extrait) GET /sendgrid-config.json HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3844.0 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 259, "payload_entropy": 5.418093434516608, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 6, "anomaly_count": 0, "campaign_key": "fc3e37af13d7b5016a9d426e6d9b087d328253b0", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "28784d21fa66ec8f3526044f730530a3", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebK", "request_sample": "GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3844.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebK", "evidence": { "request_sample": "GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3844.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebK", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "91ae21735c11e2166bd984c203fe9a6369c6db3c", "protocol_details": { "payload_preview": "GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebK", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebK", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebK", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebK", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /wp-config.bak HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-A505FN) AppleWebKit/537.36 (KH Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 6 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /wp-config.bak HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-A505FN) AppleWebKit/537.36 (KH Requête brute (extrait) GET /wp-config.bak HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-A505FN) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 255, "payload_entropy": 5.463911708741532, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 6, "anomaly_count": 0, "campaign_key": "fc3e37af13d7b5016a9d426e6d9b087d328253b0", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "7ea36e8c94df8951a382dad34558003e", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/wp-config.bak HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-A505FN) AppleWebKit\/537.36 (KH", "request_sample": "GET \/wp-config.bak HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-A505FN) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/wp-config.bak HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-A505FN) AppleWebKit\/537.36 (KH", "evidence": { "request_sample": "GET \/wp-config.bak HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-A505FN) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/wp-config.bak HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-A505FN) AppleWebKit\/537.36 (KH", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3e4381dd40c18c5054179d32c730e9d788731006", "protocol_details": { "payload_preview": "GET \/wp-config.bak HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-A505FN) AppleWebKit\/537.36 (KH", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/wp-config.bak HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-A505FN) AppleWebKit\/537.36 (KH", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/wp-config.bak HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-A505FN) AppleWebKit\/537.36 (KH", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/wp-config.bak HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-A505FN) AppleWebKit\/537.36 (KH", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe net_flood redis_config_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /wp-config.txt HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12. Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 51 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /wp-config.txt HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12. Requête brute (extrait) GET /wp-config.txt HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 199, "payload_entropy": 5.240647954725722, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 51, "tag_count": 5, "anomaly_count": 0, "campaign_key": "cbfd075d79c49e90bf5931bc85b0ea45b7d3b839", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 51 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "e5e0fceede633de1ab9bbc0aa1291666", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 51 }, "payload_preview": "GET \/wp-config.txt HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Opera\/9.80 (Windows NT 6.1; U; es-ES) Presto\/2.9.181 Version\/12.", "request_sample": "GET \/wp-config.txt HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Opera\/9.80 (Windows NT 6.1; U; es-ES) Presto\/2.9.181 Version\/12.00\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/wp-config.txt HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Opera\/9.80 (Windows NT 6.1; U; es-ES) Presto\/2.9.181 Version\/12.", "evidence": { "request_sample": "GET \/wp-config.txt HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Opera\/9.80 (Windows NT 6.1; U; es-ES) Presto\/2.9.181 Version\/12.00\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/wp-config.txt HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Opera\/9.80 (Windows NT 6.1; U; es-ES) Presto\/2.9.181 Version\/12.", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3d1b1588545b42dc492c162191805e3e504e5fe4", "protocol_details": { "payload_preview": "GET \/wp-config.txt HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Opera\/9.80 (Windows NT 6.1; U; es-ES) Presto\/2.9.181 Version\/12.", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/wp-config.txt HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Opera\/9.80 (Windows NT 6.1; U; es-ES) Presto\/2.9.181 Version\/12.", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 51 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/wp-config.txt HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Opera\/9.80 (Windows NT 6.1; U; es-ES) Presto\/2.9.181 Version\/12.", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/wp-config.txt HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Opera\/9.80 (Windows NT 6.1; U; es-ES) Presto\/2.9.181 Version\/12.", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "net_flood", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /local-config.php HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/5 Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 6 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /local-config.php HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/5 Requête brute (extrait) GET /local-config.php HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3844.0 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 255, "payload_entropy": 5.4018853861598135, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 6, "anomaly_count": 0, "campaign_key": "fc3e37af13d7b5016a9d426e6d9b087d328253b0", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c2a94cf707bb59074c81b020bce3fc0f", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/local-config.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/5", "request_sample": "GET \/local-config.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3844.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/local-config.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/5", "evidence": { "request_sample": "GET \/local-config.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3844.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/local-config.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/5", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a2515ffc6e388c23363b825c8e7ed7d42141cbf2", "protocol_details": { "payload_preview": "GET \/local-config.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/5", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/local-config.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/5", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/local-config.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/5", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/local-config.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/5", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /bootstrap/cache/config.php HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 6 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /bootstrap/cache/config.php HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit Requête brute (extrait) GET /bootstrap/cache/config.php HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3178.0 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 257, "payload_entropy": 5.441278873645036, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 6, "anomaly_count": 0, "campaign_key": "fc3e37af13d7b5016a9d426e6d9b087d328253b0", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b02a09f781e562a260a2dd1251dd1c50", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/bootstrap\/cache\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit", "request_sample": "GET \/bootstrap\/cache\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3178.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/bootstrap\/cache\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit", "evidence": { "request_sample": "GET \/bootstrap\/cache\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3178.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/bootstrap\/cache\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "cd7198b7d945501cab40688b87f74a04608f464e", "protocol_details": { "payload_preview": "GET \/bootstrap\/cache\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/bootstrap\/cache\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/bootstrap\/cache\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/bootstrap\/cache\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /app/config/parameters.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) Apple Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 6 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /app/config/parameters.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) Apple Requête brute (extrait) GET /app/config/parameters.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 265, "payload_entropy": 5.4158066518765, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 6, "anomaly_count": 0, "campaign_key": "fc3e37af13d7b5016a9d426e6d9b087d328253b0", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "e9cfe9c9a2dd9a925c723ea588edbab5", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_5) Apple", "request_sample": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.181 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: ", "payload_snippet": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_5) Apple", "evidence": { "request_sample": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.181 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: ", "payload_snippet": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_5) Apple", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7a93ad3d19fa8dc5b11b63500f31d9775fef136c", "protocol_details": { "payload_preview": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_5) Apple", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_5) Apple", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_5) Apple", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_5) Apple", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /app/config/config.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; U; Android 2.2; en-us; Sprint APA929 Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 6 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /app/config/config.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; U; Android 2.2; en-us; Sprint APA929 Requête brute (extrait) GET /app/config/config.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; U; Android 2.2; en-us; Sprint APA9292KT Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Accept-Charset: utf-8 Accept-Encoding: Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 283, "payload_entropy": 5.425391951472231, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 6, "anomaly_count": 0, "campaign_key": "fc3e37af13d7b5016a9d426e6d9b087d328253b0", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "255689db64f0aaed8a73b4866739e5b5", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/app\/config\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint APA929", "request_sample": "GET \/app\/config\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint APA9292KT Build\/FRF91) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/533.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: ", "payload_snippet": "GET \/app\/config\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint APA929", "evidence": { "request_sample": "GET \/app\/config\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint APA9292KT Build\/FRF91) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/533.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: ", "payload_snippet": "GET \/app\/config\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint APA929", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b18ae424bcaa80de2cff13cca96d37e6107d8cbb", "protocol_details": { "payload_preview": "GET \/app\/config\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint APA929", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/app\/config\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint APA929", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/app\/config\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint APA929", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/app\/config\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint APA929", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /settings/local.py HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:6.0a2) Gecko/20110615 Firef Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /settings/local.py HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:6.0a2) Gecko/20110615 Firef Requête brute (extrait) GET /settings/local.py HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:6.0a2) Gecko/20110615 Firefox/6.0a2 Iceweasel/6.0a2 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 221, "payload_entropy": 5.306167811394413, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "02d65b6f3b2952ddcf7e064f5a3c7945", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/settings\/local.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:6.0a2) Gecko\/20110615 Firef", "request_sample": "GET \/settings\/local.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:6.0a2) Gecko\/20110615 Firefox\/6.0a2 Iceweasel\/6.0a2\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/settings\/local.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:6.0a2) Gecko\/20110615 Firef", "evidence": { "request_sample": "GET \/settings\/local.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:6.0a2) Gecko\/20110615 Firefox\/6.0a2 Iceweasel\/6.0a2\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/settings\/local.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:6.0a2) Gecko\/20110615 Firef", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b26f6d52f74f8844e63b798e24699caec6b89ac7", "protocol_details": { "payload_preview": "GET \/settings\/local.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:6.0a2) Gecko\/20110615 Firef", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/settings\/local.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:6.0a2) Gecko\/20110615 Firef", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/settings\/local.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:6.0a2) Gecko\/20110615 Firef", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/settings\/local.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:6.0a2) Gecko\/20110615 Firef", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /app/config/parameters.yaml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537 Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 6 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /app/config/parameters.yaml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537 Requête brute (extrait) GET /app/config/parameters.yaml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.26 Safari/537.36 Core/1.63.5977.400 LBBROWSER/10.1.3752.400 Accept-Charset: utf-8 Acc Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 297, "payload_entropy": 5.473390906532799, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 6, "anomaly_count": 0, "campaign_key": "fc3e37af13d7b5016a9d426e6d9b087d328253b0", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "59330300b7203e3371b2f0265eafc432", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/app\/config\/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537", "request_sample": "GET \/app\/config\/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/63.0.3239.26 Safari\/537.36 Core\/1.63.5977.400 LBBROWSER\/10.1.3752.400\r\nAccept-Charset: utf-8\r\nAcc", "payload_snippet": "GET \/app\/config\/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537", "evidence": { "request_sample": "GET \/app\/config\/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/63.0.3239.26 Safari\/537.36 Core\/1.63.5977.400 LBBROWSER\/10.1.3752.400\r\nAccept-Charset: utf-8\r\nAcc", "payload_snippet": "GET \/app\/config\/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f54d764ccac0e574acf6519f434c6ecec23a6f0c", "protocol_details": { "payload_preview": "GET \/app\/config\/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/app\/config\/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/app\/config\/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/app\/config\/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /application/config/config.php HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 6 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /application/config/config.php HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW Requête brute (extrait) GET /application/config/config.php HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: cl Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 263, "payload_entropy": 5.393146809261888, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 6, "anomaly_count": 0, "campaign_key": "fc3e37af13d7b5016a9d426e6d9b087d328253b0", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b749b6fed165160c8bdaa7c891a63492", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/application\/config\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleW", "request_sample": "GET \/application\/config\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.87 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl", "payload_snippet": "GET \/application\/config\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleW", "evidence": { "request_sample": "GET \/application\/config\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.87 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl", "payload_snippet": "GET \/application\/config\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleW", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d178276fa25a1648779b315c3d225aedb4123cfe", "protocol_details": { "payload_preview": "GET \/application\/config\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleW", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/application\/config\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleW", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/application\/config\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleW", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/application\/config\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleW", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /WEB-INF/context.xml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90 Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /WEB-INF/context.xml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90 Requête brute (extrait) GET /WEB-INF/context.xml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 198, "payload_entropy": 5.356492593588485, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "0bbc938e929e92249569598f280767ed", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/WEB-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90", "request_sample": "GET \/WEB-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/WEB-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90", "evidence": { "request_sample": "GET \/WEB-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/WEB-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7769dc27b7ee6a361f8d07f0ba4476a4f0ebc53f", "protocol_details": { "payload_preview": "GET \/WEB-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/WEB-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/WEB-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/WEB-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /application/config/database.php HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/53 Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 6 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /application/config/database.php HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/53 Requête brute (extrait) GET /application/config/database.php HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.80 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 255, "payload_entropy": 5.419750012661122, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 6, "anomaly_count": 0, "campaign_key": "fc3e37af13d7b5016a9d426e6d9b087d328253b0", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "91ee11a6e2c4650311ca2cac0a4c13e9", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/application\/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/53", "request_sample": "GET \/application\/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.80 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/application\/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/53", "evidence": { "request_sample": "GET \/application\/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.80 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/application\/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/53", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "892e3d03e7d8a0fe8e7c29bed271a16361e578e0", "protocol_details": { "payload_preview": "GET \/application\/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/53", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/application\/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/53", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/application\/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/53", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/application\/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/53", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe net_flood redis_config_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /project/settings.py HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: BlackBerry8330/4.3.0 Profile/MIDP-2.0 Configuration/CLDC-1 Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 51 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /project/settings.py HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: BlackBerry8330/4.3.0 Profile/MIDP-2.0 Configuration/CLDC-1 Requête brute (extrait) GET /project/settings.py HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: BlackBerry8330/4.3.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/105 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 212, "payload_entropy": 5.262524981163503, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 51, "tag_count": 5, "anomaly_count": 0, "campaign_key": "cbfd075d79c49e90bf5931bc85b0ea45b7d3b839", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 51 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "822ab7d5f841f9f995af60012eb8364c", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 51 }, "payload_preview": "GET \/project\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: BlackBerry8330\/4.3.0 Profile\/MIDP-2.0 Configuration\/CLDC-1", "request_sample": "GET \/project\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: BlackBerry8330\/4.3.0 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 VendorID\/105\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/project\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: BlackBerry8330\/4.3.0 Profile\/MIDP-2.0 Configuration\/CLDC-1", "evidence": { "request_sample": "GET \/project\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: BlackBerry8330\/4.3.0 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 VendorID\/105\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/project\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: BlackBerry8330\/4.3.0 Profile\/MIDP-2.0 Configuration\/CLDC-1", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "37fc9742678fafcb04f71753916456f191ef0ddb", "protocol_details": { "payload_preview": "GET \/project\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: BlackBerry8330\/4.3.0 Profile\/MIDP-2.0 Configuration\/CLDC-1", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/project\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: BlackBerry8330\/4.3.0 Profile\/MIDP-2.0 Configuration\/CLDC-1", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 51 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/project\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: BlackBerry8330\/4.3.0 Profile\/MIDP-2.0 Configuration\/CLDC-1", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/project\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: BlackBerry8330\/4.3.0 Profile\/MIDP-2.0 Configuration\/CLDC-1", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "net_flood", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /storage/logs/laravel.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) Apple Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 6 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /storage/logs/laravel.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) Apple Requête brute (extrait) GET /storage/logs/laravel.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: c Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 264, "payload_entropy": 5.390169375123038, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 6, "anomaly_count": 0, "campaign_key": "b822175e91cd79d15217cf8bf492e70bb1c260b2", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "685fd30ef0593c0e429a2713065cd24d", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/storage\/logs\/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) Apple", "request_sample": "GET \/storage\/logs\/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: c", "payload_snippet": "GET \/storage\/logs\/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) Apple", "evidence": { "request_sample": "GET \/storage\/logs\/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: c", "payload_snippet": "GET \/storage\/logs\/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) Apple", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8ce8c9084f3c450d1aef6474d1b6819d44870ef7", "protocol_details": { "payload_preview": "GET \/storage\/logs\/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) Apple", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/storage\/logs\/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) Apple", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/storage\/logs\/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) Apple", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/storage\/logs\/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) Apple", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "tor_exit_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /settings/production.py HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /settings/production.py HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) Requête brute (extrait) GET /settings/production.py HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5362a Safari/604.1 Accept-Charset: utf-8 Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 279, "payload_entropy": 5.366762523997749, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "5133dd60c66e7548cf87d76d82591330", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/settings\/production.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) ", "request_sample": "GET \/settings\/production.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit\/604.1.38 (KHTML, like Gecko) Version\/11.0 Mobile\/15A5362a Safari\/604.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip", "payload_snippet": "GET \/settings\/production.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X)", "evidence": { "request_sample": "GET \/settings\/production.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit\/604.1.38 (KHTML, like Gecko) Version\/11.0 Mobile\/15A5362a Safari\/604.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip", "payload_snippet": "GET \/settings\/production.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X)", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8224330a2d77c853dbcb1a14ae54ed0f9918e4eb", "protocol_details": { "payload_preview": "GET \/settings\/production.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X)", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/settings\/production.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X)", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/settings\/production.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X)", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/settings\/production.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /core/settings.py HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleW Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /core/settings.py HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleW Requête brute (extrait) GET /core/settings.py HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/76.0.3809.81 Mobile/15E148 Safari/605.1 Accept-Charset: utf-8 Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 277, "payload_entropy": 5.38410881527346, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "368e4aab40001d4b5cb91745d67c0c1a", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/core\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleW", "request_sample": "GET \/core\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\n", "payload_snippet": "GET \/core\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleW", "evidence": { "request_sample": "GET \/core\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\n", "payload_snippet": "GET \/core\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleW", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7bc0b8f8cb1dbd6e6e858f3be7ae553134832ecd", "protocol_details": { "payload_preview": "GET \/core\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleW", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/core\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleW", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/core\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleW", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/core\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleW", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /WEB-INF/web.xml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /WEB-INF/web.xml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML Requête brute (extrait) GET /WEB-INF/web.xml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.105 Safari/537.36 Vivaldi/2.4.1488.38 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 265, "payload_entropy": 5.527596702943068, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c5b2924b5d881473b96ae2e30295e204", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/WEB-INF\/web.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML", "request_sample": "GET \/WEB-INF\/web.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.105 Safari\/537.36 Vivaldi\/2.4.1488.38\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: ", "payload_snippet": "GET \/WEB-INF\/web.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML", "evidence": { "request_sample": "GET \/WEB-INF\/web.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.105 Safari\/537.36 Vivaldi\/2.4.1488.38\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: ", "payload_snippet": "GET \/WEB-INF\/web.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c1b68a86700927bab8bf3fba55a0df0803e51a21", "protocol_details": { "payload_preview": "GET \/WEB-INF\/web.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/WEB-INF\/web.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/WEB-INF\/web.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/WEB-INF\/web.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /system/application/config/database.php HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; Leno Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 6 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /system/application/config/database.php HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; Leno Requête brute (extrait) GET /system/application/config/database.php HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; Lenovo K8 Note) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Enco Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 289, "payload_entropy": 5.391539878388884, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 6, "anomaly_count": 0, "campaign_key": "fc3e37af13d7b5016a9d426e6d9b087d328253b0", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3b07e846d83bf0b7ca1820967ff2afe5", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/system\/application\/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; Leno", "request_sample": "GET \/system\/application\/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; Lenovo K8 Note) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Enco", "payload_snippet": "GET \/system\/application\/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; Leno", "evidence": { "request_sample": "GET \/system\/application\/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; Lenovo K8 Note) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Enco", "payload_snippet": "GET \/system\/application\/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; Leno", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c6dbbf1387d513e2c5438d9ac1ee7937b978dce6", "protocol_details": { "payload_preview": "GET \/system\/application\/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; Leno", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/system\/application\/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; Leno", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/system\/application\/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; Leno", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/system\/application\/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; Leno", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /WEB-INF/classes/application.properties HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebK Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /WEB-INF/classes/application.properties HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebK Requête brute (extrait) GET /WEB-INF/classes/application.properties HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clos Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 261, "payload_entropy": 5.397197265792193, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "63cb2154e96685f276d55405898079dc", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/WEB-INF\/classes\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebK", "request_sample": "GET \/WEB-INF\/classes\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/WEB-INF\/classes\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebK", "evidence": { "request_sample": "GET \/WEB-INF\/classes\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/WEB-INF\/classes\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebK", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a18cd4798b4fdd609f664f3a7c2fab3cb4600b4d", "protocol_details": { "payload_preview": "GET \/WEB-INF\/classes\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebK", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/WEB-INF\/classes\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebK", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/WEB-INF\/classes\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebK", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/WEB-INF\/classes\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebK", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /.idea/dataSources.local.xml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) Ap Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /.idea/dataSources.local.xml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) Ap Requête brute (extrait) GET /.idea/dataSources.local.xml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connectio Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 268, "payload_entropy": 5.420473720802275, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "9918402e77cb2b918089d41482e8f8a4", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/.idea\/dataSources.local.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) Ap", "request_sample": "GET \/.idea\/dataSources.local.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnectio", "payload_snippet": "GET \/.idea\/dataSources.local.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) Ap", "evidence": { "request_sample": "GET \/.idea\/dataSources.local.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnectio", "payload_snippet": "GET \/.idea\/dataSources.local.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) Ap", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e628648fc19746c16bd7415ecafc7160a910c9d6", "protocol_details": { "payload_preview": "GET \/.idea\/dataSources.local.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) Ap", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/.idea\/dataSources.local.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) Ap", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/.idea\/dataSources.local.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) Ap", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/.idea\/dataSources.local.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) Ap", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /.idea/dataSources.xml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Tride Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /.idea/dataSources.xml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Tride Requête brute (extrait) GET /.idea/dataSources.xml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 204, "payload_entropy": 5.301082327558993, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "0b49d1926b12fb049f41315f6738661a", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/.idea\/dataSources.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Tride", "request_sample": "GET \/.idea\/dataSources.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident\/4.0)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.idea\/dataSources.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Tride", "evidence": { "request_sample": "GET \/.idea\/dataSources.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident\/4.0)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.idea\/dataSources.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Tride", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2dbfe3365c81e44dfe343ddf8f16bbe1907beb4f", "protocol_details": { "payload_preview": "GET \/.idea\/dataSources.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Tride", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/.idea\/dataSources.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Tride", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/.idea\/dataSources.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Tride", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/.idea\/dataSources.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Tride", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /settings/base.py HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/6 Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /settings/base.py HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/6 Requête brute (extrait) GET /settings/base.py HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1.2 Safari/605.1.15 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 255, "payload_entropy": 5.342986023527013, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c3a714987e74e5f16bcb5e36624e0326", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/settings\/base.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit\/6", "request_sample": "GET \/settings\/base.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/11.1.2 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/settings\/base.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit\/6", "evidence": { "request_sample": "GET \/settings\/base.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/11.1.2 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/settings\/base.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit\/6", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "63261eb20e018bdc4bce48aaaf9a83ee9533a127", "protocol_details": { "payload_preview": "GET \/settings\/base.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit\/6", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/settings\/base.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit\/6", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/settings\/base.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit\/6", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/settings\/base.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit\/6", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /.vscode/sftp.json HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTM Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /.vscode/sftp.json HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTM Requête brute (extrait) GET /.vscode/sftp.json HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 246, "payload_entropy": 5.434498773488178, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "09c1431186e67d2a1a426fd78c34aaac", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/.vscode\/sftp.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTM", "request_sample": "GET \/.vscode\/sftp.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.vscode\/sftp.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTM", "evidence": { "request_sample": "GET \/.vscode\/sftp.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.vscode\/sftp.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTM", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2548c6b057c7177925b9415b645fc4704c029f45", "protocol_details": { "payload_preview": "GET \/.vscode\/sftp.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTM", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/.vscode\/sftp.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTM", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/.vscode\/sftp.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTM", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/.vscode\/sftp.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTM", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /.idea/WebServers.xml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.71 (KHTML li Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /.idea/WebServers.xml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.71 (KHTML li Requête brute (extrait) GET /.idea/WebServers.xml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.71 (KHTML like Gecko) WebVideo/1.0.1.10 Version/7.0 Safari/537.71 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 250, "payload_entropy": 5.364072547665692, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "6a5f203578c4205ea72f89c4d6ffc3fa", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/.idea\/WebServers.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.71 (KHTML li", "request_sample": "GET \/.idea\/WebServers.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.71 (KHTML like Gecko) WebVideo\/1.0.1.10 Version\/7.0 Safari\/537.71\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.idea\/WebServers.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.71 (KHTML li", "evidence": { "request_sample": "GET \/.idea\/WebServers.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.71 (KHTML like Gecko) WebVideo\/1.0.1.10 Version\/7.0 Safari\/537.71\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.idea\/WebServers.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.71 (KHTML li", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fd8f1af69a0c680ead9912f9ab1c069a1c525d2a", "protocol_details": { "payload_preview": "GET \/.idea\/WebServers.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.71 (KHTML li", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/.idea\/WebServers.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.71 (KHTML li", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/.idea\/WebServers.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.71 (KHTML li", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/.idea\/WebServers.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.71 (KHTML li", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /.vscode/settings.json HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G965F) AppleWebKit/537 Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /.vscode/settings.json HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G965F) AppleWebKit/537 Requête brute (extrait) GET /.vscode/settings.json HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G965F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clos Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 261, "payload_entropy": 5.429178054386532, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "59456970674e91fc96c44bad87b27ee5", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/.vscode\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537", "request_sample": "GET \/.vscode\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/.vscode\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537", "evidence": { "request_sample": "GET \/.vscode\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/.vscode\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "781da7a431e56effabfb17f3d23c5c0c782c59d6", "protocol_details": { "payload_preview": "GET \/.vscode\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/.vscode\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/.vscode\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/.vscode\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /.idea/deployment.xml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebK Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /.idea/deployment.xml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebK Requête brute (extrait) GET /.idea/deployment.xml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.2 Safari/605.1.15 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 259, "payload_entropy": 5.39190342114953, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "9e1836072cdd859e4737ea0ef08e6885", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/.idea\/deployment.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebK", "request_sample": "GET \/.idea\/deployment.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.2 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/.idea\/deployment.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebK", "evidence": { "request_sample": "GET \/.idea\/deployment.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.2 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/.idea\/deployment.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebK", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ff8644c185b4394338afb677fc253cc4d1543867", "protocol_details": { "payload_preview": "GET \/.idea\/deployment.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebK", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/.idea\/deployment.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebK", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/.idea\/deployment.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebK", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/.idea\/deployment.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebK", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /.idea/workspace.xml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; GM 6 d) AppleWebKit/537 Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /.idea/workspace.xml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; GM 6 d) AppleWebKit/537 Requête brute (extrait) GET /.idea/workspace.xml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; GM 6 d) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clo Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 262, "payload_entropy": 5.403658638547989, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c64bac8b3e3e853566206311d1354ae1", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/.idea\/workspace.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; GM 6 d) AppleWebKit\/537", "request_sample": "GET \/.idea\/workspace.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; GM 6 d) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo", "payload_snippet": "GET \/.idea\/workspace.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; GM 6 d) AppleWebKit\/537", "evidence": { "request_sample": "GET \/.idea\/workspace.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; GM 6 d) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo", "payload_snippet": "GET \/.idea\/workspace.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; GM 6 d) AppleWebKit\/537", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "51be50902de18745f0d64a62c65897d6ecdf5588", "protocol_details": { "payload_preview": "GET \/.idea\/workspace.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; GM 6 d) AppleWebKit\/537", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/.idea\/workspace.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; GM 6 d) AppleWebKit\/537", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/.idea\/workspace.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; GM 6 d) AppleWebKit\/537", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/.idea\/workspace.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; GM 6 d) AppleWebKit\/537", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /META-INF/context.xml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /META-INF/context.xml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML Requête brute (extrait) GET /META-INF/context.xml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML like Gecko) Chrome/22.0.1229.56 Safari/537.4 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 241, "payload_entropy": 5.492442770668362, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "389839e0bb37f09a2f1c1e764cff47e7", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/META-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.4 (KHTML ", "request_sample": "GET \/META-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.4 (KHTML like Gecko) Chrome\/22.0.1229.56 Safari\/537.4\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/META-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.4 (KHTML", "evidence": { "request_sample": "GET \/META-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.4 (KHTML like Gecko) Chrome\/22.0.1229.56 Safari\/537.4\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/META-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.4 (KHTML", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6432e115a451c28ea90305bf31fd0ec57a66e788", "protocol_details": { "payload_preview": "GET \/META-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.4 (KHTML", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/META-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.4 (KHTML", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/META-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.4 (KHTML", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/META-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.4 (KHTML", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /.gitlab-ci.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; PRA-LX1) AppleWebKit/537.36 Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /.gitlab-ci.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; PRA-LX1) AppleWebKit/537.36 Requête brute (extrait) GET /.gitlab-ci.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; PRA-LX1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.101 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 258, "payload_entropy": 5.436693340658309, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3e903075bf3d2b0e4522b87a69634e39", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/.gitlab-ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; PRA-LX1) AppleWebKit\/537.36 ", "request_sample": "GET \/.gitlab-ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; PRA-LX1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/.gitlab-ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; PRA-LX1) AppleWebKit\/537.36", "evidence": { "request_sample": "GET \/.gitlab-ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; PRA-LX1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/.gitlab-ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; PRA-LX1) AppleWebKit\/537.36", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bdbf38b51263d7081d9749dcc719b341960a1363", "protocol_details": { "payload_preview": "GET \/.gitlab-ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; PRA-LX1) AppleWebKit\/537.36", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/.gitlab-ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; PRA-LX1) AppleWebKit\/537.36", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/.gitlab-ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; PRA-LX1) AppleWebKit\/537.36", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/.gitlab-ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; PRA-LX1) AppleWebKit\/537.36", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /.github/workflows/production.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/5 Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /.github/workflows/production.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/5 Requête brute (extrait) GET /.github/workflows/production.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 OPR/62.0.3331.116 Accept-Charset: utf-8 Accept-Encoding: gzip Co Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 275, "payload_entropy": 5.504199666861561, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4684781158f015a436ee55c5c263c8d5", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/.github\/workflows\/production.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/5", "request_sample": "GET \/.github\/workflows\/production.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/62.0.3331.116\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCo", "payload_snippet": "GET \/.github\/workflows\/production.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/5", "evidence": { "request_sample": "GET \/.github\/workflows\/production.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/62.0.3331.116\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCo", "payload_snippet": "GET \/.github\/workflows\/production.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/5", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fec4bb7144048b54b4dd8873ae35c8c96169c85b", "protocol_details": { "payload_preview": "GET \/.github\/workflows\/production.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/5", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/.github\/workflows\/production.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/5", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/.github\/workflows\/production.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/5", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/.github\/workflows\/production.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/5", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe net_flood websphere_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /.travis.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Links (2.1pre15; Linux 2.4.26 i686; 158x61) Accept-Charset: utf-8 Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 51 Confiance : Confiance 100 % — 4 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /.travis.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Links (2.1pre15; Linux 2.4.26 i686; 158x61) Accept-Charset: utf-8 Requête brute (extrait) GET /.travis.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Links (2.1pre15; Linux 2.4.26 i686; 158x61) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 174, "payload_entropy": 5.256548416457445, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 51, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5d7a54c39cf9421e33ae6b4b572905b0b1c15fb7", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 51 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d45e12b3fb5f022eb62d02635606bce0", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 51 }, "payload_preview": "GET \/.travis.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Links (2.1pre15; Linux 2.4.26 i686; 158x61)\r\nAccept-Charset: utf-8", "request_sample": "GET \/.travis.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Links (2.1pre15; Linux 2.4.26 i686; 158x61)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.travis.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Links (2.1pre15; Linux 2.4.26 i686; 158x61)\r\nAccept-Charset: utf-8", "evidence": { "request_sample": "GET \/.travis.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Links (2.1pre15; Linux 2.4.26 i686; 158x61)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.travis.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Links (2.1pre15; Linux 2.4.26 i686; 158x61)\r\nAccept-Charset: utf-8", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3ef77b61190530fc9fd23b8bd2baed3ac0fb2c8c", "protocol_details": { "payload_preview": "GET \/.travis.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Links (2.1pre15; Linux 2.4.26 i686; 158x61)\r\nAccept-Charset: utf-8", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/.travis.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Links (2.1pre15; Linux 2.4.26 i686; 158x61)\r\nAccept-Charset: utf-8", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 51 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/.travis.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Links (2.1pre15; Linux 2.4.26 i686; 158x61)\r\nAccept-Charset: utf-8", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/.travis.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Links (2.1pre15; Linux 2.4.26 i686; 158x61)\r\nAccept-Charset: utf-8", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe jenkins_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /Jenkinsfile HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, lik Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 6 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /Jenkinsfile HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, lik Requête brute (extrait) GET /Jenkinsfile HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 240, "payload_entropy": 5.425588863008424, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 6, "anomaly_count": 0, "campaign_key": "625e587791233f6fe687dd86ef080d3bb3daac42", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "57c46d300ae4a87c0e7458ff533ec8ad", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, lik", "request_sample": "GET \/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, lik", "evidence": { "request_sample": "GET \/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, lik", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5b72e709ee5bfc6cf73175407cee5ea6f3c74d57", "protocol_details": { "payload_preview": "GET \/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, lik", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, lik", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, lik", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, lik", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "jenkins_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /.vscode/launch.json HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 9; Redmi Note 4) AppleWebKit/5 Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /.vscode/launch.json HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 9; Redmi Note 4) AppleWebKit/5 Requête brute (extrait) GET /.vscode/launch.json HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 9; Redmi Note 4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.80 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: cl Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 263, "payload_entropy": 5.423150952541444, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "03947b58412005dca2bf153bc0163296", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/.vscode\/launch.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 4) AppleWebKit\/5", "request_sample": "GET \/.vscode\/launch.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.80 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl", "payload_snippet": "GET \/.vscode\/launch.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 4) AppleWebKit\/5", "evidence": { "request_sample": "GET \/.vscode\/launch.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.80 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl", "payload_snippet": "GET \/.vscode\/launch.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 4) AppleWebKit\/5", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61b84c2569bb948ee1263a024e901c2349c9795d", "protocol_details": { "payload_preview": "GET \/.vscode\/launch.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 4) AppleWebKit\/5", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/.vscode\/launch.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 4) AppleWebKit\/5", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/.vscode\/launch.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 4) AppleWebKit\/5", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/.vscode\/launch.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 4) AppleWebKit\/5", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /.github/workflows/main.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3 like Mac Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /.github/workflows/main.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3 like Mac Requête brute (extrait) GET /.github/workflows/main.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3 like Mac OS X; de-de) AppleWebKit/533.17.9 (KHTML, like Gecko) Mobile/8F190 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: cl Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 263, "payload_entropy": 5.447805243505889, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "39c3a5ac8643fd0cfae862bacdf0d9bf", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/.github\/workflows\/main.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS 4_3 like Mac ", "request_sample": "GET \/.github\/workflows\/main.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS 4_3 like Mac OS X; de-de) AppleWebKit\/533.17.9 (KHTML, like Gecko) Mobile\/8F190\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl", "payload_snippet": "GET \/.github\/workflows\/main.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS 4_3 like Mac", "evidence": { "request_sample": "GET \/.github\/workflows\/main.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS 4_3 like Mac OS X; de-de) AppleWebKit\/533.17.9 (KHTML, like Gecko) Mobile\/8F190\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl", "payload_snippet": "GET \/.github\/workflows\/main.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS 4_3 like Mac", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e3fdea50ace184d74c3af2f1ff53a71bcbc78a46", "protocol_details": { "payload_preview": "GET \/.github\/workflows\/main.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS 4_3 like Mac", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/.github\/workflows\/main.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS 4_3 like Mac", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/.github\/workflows\/main.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS 4_3 like Mac", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/.github\/workflows\/main.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS 4_3 like Mac", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /.vscode/tasks.json HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /.vscode/tasks.json HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /.vscode/tasks.json HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36 OPR/60.0.3255.59 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 260, "payload_entropy": 5.468799147178282, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "819524bab498bdde760f8118ec28bcb0", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/.vscode\/tasks.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, ", "request_sample": "GET \/.vscode\/tasks.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36 OPR\/60.0.3255.59\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close", "payload_snippet": "GET \/.vscode\/tasks.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "evidence": { "request_sample": "GET \/.vscode\/tasks.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36 OPR\/60.0.3255.59\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close", "payload_snippet": "GET \/.vscode\/tasks.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c01282c550d3a5af9c692a3c90e9484b53fb220d", "protocol_details": { "payload_preview": "GET \/.vscode\/tasks.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/.vscode\/tasks.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/.vscode\/tasks.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/.vscode\/tasks.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /.circleci/config.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G935F) AppleWebKit/ Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 6 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /.circleci/config.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G935F) AppleWebKit/ Requête brute (extrait) GET /.circleci/config.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G935F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: c Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 264, "payload_entropy": 5.411652175260553, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 6, "anomaly_count": 0, "campaign_key": "fc3e37af13d7b5016a9d426e6d9b087d328253b0", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "44e1e62bd2ea53df4c309ee8057bdbf4", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/.circleci\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935F) AppleWebKit\/", "request_sample": "GET \/.circleci\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: c", "payload_snippet": "GET \/.circleci\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935F) AppleWebKit\/", "evidence": { "request_sample": "GET \/.circleci\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: c", "payload_snippet": "GET \/.circleci\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935F) AppleWebKit\/", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "373c87db8ddb7387ae2c62f9d05d954bfb67c028", "protocol_details": { "payload_preview": "GET \/.circleci\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935F) AppleWebKit\/", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/.circleci\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935F) AppleWebKit\/", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/.circleci\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935F) AppleWebKit\/", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/.circleci\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935F) AppleWebKit\/", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /.drone.yaml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 7.1.2; Nexus 6P Build/N2G48C) AppleWeb Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /.drone.yaml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 7.1.2; Nexus 6P Build/N2G48C) AppleWeb Requête brute (extrait) GET /.drone.yaml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 7.1.2; Nexus 6P Build/N2G48C) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.107 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connecti Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 269, "payload_entropy": 5.461660375252798, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "bdb5533af567036530a6f5928df63f5f", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/.drone.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; Nexus 6P Build\/N2G48C) AppleWeb", "request_sample": "GET \/.drone.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; Nexus 6P Build\/N2G48C) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/60.0.3112.107 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti", "payload_snippet": "GET \/.drone.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; Nexus 6P Build\/N2G48C) AppleWeb", "evidence": { "request_sample": "GET \/.drone.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; Nexus 6P Build\/N2G48C) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/60.0.3112.107 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti", "payload_snippet": "GET \/.drone.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; Nexus 6P Build\/N2G48C) AppleWeb", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6a1d391b51d5f913aebe42be7402ef81f845b249", "protocol_details": { "payload_preview": "GET \/.drone.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; Nexus 6P Build\/N2G48C) AppleWeb", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/.drone.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; Nexus 6P Build\/N2G48C) AppleWeb", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/.drone.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; Nexus 6P Build\/N2G48C) AppleWeb", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/.drone.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; Nexus 6P Build\/N2G48C) AppleWeb", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /.drone.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build/LMY47V) Appl Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /.drone.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build/LMY47V) Appl Requête brute (extrait) GET /.drone.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.83 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Conne Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 272, "payload_entropy": 5.450612407184423, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "aae507a7089a5706c72de61a321a046b", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/.drone.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47V) Appl", "request_sample": "GET \/.drone.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47V) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.83 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConne", "payload_snippet": "GET \/.drone.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47V) Appl", "evidence": { "request_sample": "GET \/.drone.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47V) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.83 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConne", "payload_snippet": "GET \/.drone.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47V) Appl", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d5e1c7599f23fca60466aafc64895c9a700d2adc", "protocol_details": { "payload_preview": "GET \/.drone.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47V) Appl", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/.drone.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47V) Appl", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/.drone.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47V) Appl", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/.drone.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47V) Appl", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /bitbucket-pipelines.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleW Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /bitbucket-pipelines.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleW Requête brute (extrait) GET /bitbucket-pipelines.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Reeder/3.2 Safari/605.1.15 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 258, "payload_entropy": 5.384361652459085, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "94c564b275121e10fc46930e0e51a1d8", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/bitbucket-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleW", "request_sample": "GET \/bitbucket-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Reeder\/3.2 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/bitbucket-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleW", "evidence": { "request_sample": "GET \/bitbucket-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Reeder\/3.2 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/bitbucket-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleW", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0c5b6c29507efea07e319062eca021f37b2976b9", "protocol_details": { "payload_preview": "GET \/bitbucket-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleW", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/bitbucket-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleW", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/bitbucket-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleW", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/bitbucket-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleW", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }

34.101.45.12

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence