Détails IP 34.101.45.12

Synthèse exécutive

Profil de menace

Score de risque 59/100 Moyen

Première observation 14/06/2026 11:30 UTC

Dernière observation 14/06/2026 11:30 UTC

Événements (période) 854

MITRE ATT&CK principal T1499 775 occurrences

Activité suspecte — risque 59/100 (Moyen) — MITRE T1499 — confiance 100 % — via HTTPS

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « http_flood » (signaux protocolaires) · confiance 100%

Confiance 100 % — Score WAF 8

Comparaison ASN / FAI

ASN 396982 · 34.101.32.0/19 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 854 événements sur la période pour cette IP.

35.216.144.195 Sonde PostgreSQL 18/06/2026 08:49 UTC
162.216.150.125 Scanner web 18/06/2026 08:48 UTC
162.216.150.146 Scanner web 18/06/2026 08:48 UTC
162.216.150.95 Scanner web 18/06/2026 08:47 UTC
35.203.211.128 Sonde RTSP 18/06/2026 08:45 UTC
35.203.211.95 SSRF interne 18/06/2026 08:45 UTC
35.203.210.41 Scanner web 18/06/2026 08:45 UTC
162.216.149.60 Sonde PostgreSQL 18/06/2026 08:44 UTC

IPs apparentées

Même FAI Google LLC — corrélation indicative.

35.216.144.195 Sonde PostgreSQL
162.216.150.125 Scanner web
162.216.150.146 Scanner web
162.216.150.95 Scanner web
35.203.211.128 Sonde RTSP

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Chronologie des événements

854 événement(s) — page 2/18

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /.buildkite/pipeline.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 9; VOG-L29) AppleWebKit/53 Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /.buildkite/pipeline.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 9; VOG-L29) AppleWebKit/53 Requête brute (extrait) GET /.buildkite/pipeline.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 9; VOG-L29) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: cl Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 263, "payload_entropy": 5.44264180417618, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4dcc3cb65e79f129b51151edf8e17050", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/.buildkite\/pipeline.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; VOG-L29) AppleWebKit\/53", "request_sample": "GET \/.buildkite\/pipeline.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; VOG-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl", "payload_snippet": "GET \/.buildkite\/pipeline.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; VOG-L29) AppleWebKit\/53", "evidence": { "request_sample": "GET \/.buildkite\/pipeline.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; VOG-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl", "payload_snippet": "GET \/.buildkite\/pipeline.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; VOG-L29) AppleWebKit\/53", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0034f7bf2c4b42e01ea028aead779891b7bb7f0c", "protocol_details": { "payload_preview": "GET \/.buildkite\/pipeline.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; VOG-L29) AppleWebKit\/53", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/.buildkite\/pipeline.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; VOG-L29) AppleWebKit\/53", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/.buildkite\/pipeline.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; VOG-L29) AppleWebKit\/53", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/.buildkite\/pipeline.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; VOG-L29) AppleWebKit\/53", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe jenkins_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /jenkins/Jenkinsfile HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537. Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 6 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /jenkins/Jenkinsfile HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537. Requête brute (extrait) GET /jenkins/Jenkinsfile HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 OPR/62.0.3331.116 Accept-Charset: utf-8 Accept-Encoding: gzip Conne Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 272, "payload_entropy": 5.441466849494665, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 6, "anomaly_count": 0, "campaign_key": "625e587791233f6fe687dd86ef080d3bb3daac42", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "70be023c757a785e51f60ce301351f15", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/jenkins\/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.", "request_sample": "GET \/jenkins\/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/62.0.3331.116\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConne", "payload_snippet": "GET \/jenkins\/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.", "evidence": { "request_sample": "GET \/jenkins\/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/62.0.3331.116\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConne", "payload_snippet": "GET \/jenkins\/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4b2c8dde836b1a5bf0bc8c75e06c23ad147a3f0c", "protocol_details": { "payload_preview": "GET \/jenkins\/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/jenkins\/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/jenkins\/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/jenkins\/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "jenkins_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /.github/workflows/deploy.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWe Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /.github/workflows/deploy.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWe Requête brute (extrait) GET /.github/workflows/deploy.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clo Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 262, "payload_entropy": 5.474533159925793, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "55eb3c98a093c340757fba7be7b59d5f", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe", "request_sample": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.81 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo", "payload_snippet": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe", "evidence": { "request_sample": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.81 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo", "payload_snippet": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3556c8468ff63fa65436086609cd4553196e528f", "protocol_details": { "payload_preview": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /.github/workflows/ci.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:28.0) Gecko/20100101 Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /.github/workflows/ci.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:28.0) Gecko/20100101 Requête brute (extrait) GET /.github/workflows/ci.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 210, "payload_entropy": 5.377533848621637, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "50f36ed6432324ab27fa397ac0a379d6", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/.github\/workflows\/ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:28.0) Gecko\/20100101", "request_sample": "GET \/.github\/workflows\/ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:28.0) Gecko\/20100101 Firefox\/28.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.github\/workflows\/ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:28.0) Gecko\/20100101", "evidence": { "request_sample": "GET \/.github\/workflows\/ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:28.0) Gecko\/20100101 Firefox\/28.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.github\/workflows\/ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:28.0) Gecko\/20100101", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2592f808f797f46f64cafed987669a4f8e2216ee", "protocol_details": { "payload_preview": "GET \/.github\/workflows\/ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:28.0) Gecko\/20100101", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/.github\/workflows\/ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:28.0) Gecko\/20100101", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/.github\/workflows\/ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:28.0) Gecko\/20100101", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/.github\/workflows\/ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:28.0) Gecko\/20100101", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /error.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537.36 ( Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /error.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537.36 ( Requête brute (extrait) GET /error.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 250, "payload_entropy": 5.39652715119118, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f0bc8063219efe8e631ee3635d0a044d", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit\/537.36 (", "request_sample": "GET \/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit\/537.36 (", "evidence": { "request_sample": "GET \/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit\/537.36 (", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "47b417b8d488d3ee201e8eb078e40c6672f5605c", "protocol_details": { "payload_preview": "GET \/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit\/537.36 (", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit\/537.36 (", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit\/537.36 (", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit\/537.36 (", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe net_flood websphere_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /server.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Opera/9.80 (S60; SymbOS; Opera Mobi/499; U; ru) Presto/2.4.18 Versi Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 51 Confiance : Confiance 100 % — 4 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /server.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Opera/9.80 (S60; SymbOS; Opera Mobi/499; U; ru) Presto/2.4.18 Versi Requête brute (extrait) GET /server.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Opera/9.80 (S60; SymbOS; Opera Mobi/499; U; ru) Presto/2.4.18 Version/10.00 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 205, "payload_entropy": 5.294931789477367, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 51, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5d7a54c39cf9421e33ae6b4b572905b0b1c15fb7", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 51 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "08bb28108c9c154f93ac4c3ec6ce4432", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 51 }, "payload_preview": "GET \/server.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Opera\/9.80 (S60; SymbOS; Opera Mobi\/499; U; ru) Presto\/2.4.18 Versi", "request_sample": "GET \/server.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Opera\/9.80 (S60; SymbOS; Opera Mobi\/499; U; ru) Presto\/2.4.18 Version\/10.00\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/server.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Opera\/9.80 (S60; SymbOS; Opera Mobi\/499; U; ru) Presto\/2.4.18 Versi", "evidence": { "request_sample": "GET \/server.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Opera\/9.80 (S60; SymbOS; Opera Mobi\/499; U; ru) Presto\/2.4.18 Version\/10.00\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/server.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Opera\/9.80 (S60; SymbOS; Opera Mobi\/499; U; ru) Presto\/2.4.18 Versi", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c35fa5b9be209133f1ad372a8d66dba8a3ec847d", "protocol_details": { "payload_preview": "GET \/server.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Opera\/9.80 (S60; SymbOS; Opera Mobi\/499; U; ru) Presto\/2.4.18 Versi", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/server.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Opera\/9.80 (S60; SymbOS; Opera Mobi\/499; U; ru) Presto\/2.4.18 Versi", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 51 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/server.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Opera\/9.80 (S60; SymbOS; Opera Mobi\/499; U; ru) Presto\/2.4.18 Versi", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/server.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Opera\/9.80 (S60; SymbOS; Opera Mobi\/499; U; ru) Presto\/2.4.18 Versi", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /azure-pipelines.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II B Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /azure-pipelines.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II B Requête brute (extrait) GET /azure-pipelines.yml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build/GRJ22) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Accept-Charset: utf-8 Accept-Encoding: gzi Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 280, "payload_entropy": 5.419088785244074, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d4f58d2558ba4c8fd58eb69772b90aaf", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/azure-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II B", "request_sample": "GET \/azure-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build\/GRJ22) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/534.30\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzi", "payload_snippet": "GET \/azure-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II B", "evidence": { "request_sample": "GET \/azure-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build\/GRJ22) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/534.30\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzi", "payload_snippet": "GET \/azure-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II B", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "58958307bcc01374125a43b0562d13715984c19e", "protocol_details": { "payload_preview": "GET \/azure-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II B", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/azure-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II B", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/azure-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II B", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/azure-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II B", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe net_flood websphere_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /app.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Googlebot-Video/1.0 Accept-Charset: utf-8 Accept-Encoding: gzip Con Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 51 Confiance : Confiance 100 % — 4 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /app.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Googlebot-Video/1.0 Accept-Charset: utf-8 Accept-Encoding: gzip Con Requête brute (extrait) GET /app.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Googlebot-Video/1.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 146, "payload_entropy": 5.056350396369223, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 51, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5d7a54c39cf9421e33ae6b4b572905b0b1c15fb7", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 51 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c80415cc8e15210827524a676eb6f9b1", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 51 }, "payload_preview": "GET \/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Googlebot-Video\/1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCon", "request_sample": "GET \/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Googlebot-Video\/1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Googlebot-Video\/1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCon", "evidence": { "request_sample": "GET \/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Googlebot-Video\/1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Googlebot-Video\/1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCon", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1e674fd9b074dffad04778bb2de74b3648bc50a8", "protocol_details": { "payload_preview": "GET \/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Googlebot-Video\/1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCon", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Googlebot-Video\/1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCon", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 51 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Googlebot-Video\/1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCon", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Googlebot-Video\/1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCon", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /laravel.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML like Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /laravel.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML like Requête brute (extrait) GET /laravel.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/28.0.1469.0 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 237, "payload_entropy": 5.42134533380455, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "a7d70a65f20e5eaef6a6fa2ae1fe9a20", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML like", "request_sample": "GET \/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML like Gecko) Chrome\/28.0.1469.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML like", "evidence": { "request_sample": "GET \/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML like Gecko) Chrome\/28.0.1469.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML like", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "cb30bf4a1aec11e31060b9b2e65e41cf1a816cf5", "protocol_details": { "payload_preview": "GET \/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML like", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML like", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML like", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML like", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /trace.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /trace.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Requête brute (extrait) GET /trace.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36 OPR/31.0.1889.174 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 256, "payload_entropy": 5.437538272309594, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "2ea9b624e7abef1fc7fc6e052c4ca8ec", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/trace.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like ", "request_sample": "GET \/trace.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/44.0.2403.155 Safari\/537.36 OPR\/31.0.1889.174\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/trace.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like", "evidence": { "request_sample": "GET \/trace.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/44.0.2403.155 Safari\/537.36 OPR\/31.0.1889.174\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/trace.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "093c88cc2646734a11bd562bcd43e09359993975", "protocol_details": { "payload_preview": "GET \/trace.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/trace.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/trace.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/trace.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /access.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /access.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Requête brute (extrait) GET /access.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 OPR/62.0.3331.116 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 250, "payload_entropy": 5.390291952181875, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "be1c82323d21a057079dc55cca4f3e8d", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/access.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2) AppleWebKit\/537.36 (KHTML, like Gecko)", "request_sample": "GET \/access.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/62.0.3331.116\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/access.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2) AppleWebKit\/537.36 (KHTML, like Gecko)", "evidence": { "request_sample": "GET \/access.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/62.0.3331.116\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/access.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2) AppleWebKit\/537.36 (KHTML, like Gecko)", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f56425dcc0201ce5481a13c02823d802710256ac", "protocol_details": { "payload_preview": "GET \/access.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2) AppleWebKit\/537.36 (KHTML, like Gecko)", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/access.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2) AppleWebKit\/537.36 (KHTML, like Gecko)", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/access.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2) AppleWebKit\/537.36 (KHTML, like Gecko)", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/access.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2) AppleWebKit\/537.36 (KHTML, like Gecko)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /application.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (K Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /application.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (K Requête brute (extrait) GET /application.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 248, "payload_entropy": 5.3944684176673245, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "6ed5e8e4d9df1ae574db59ba172f7d65", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/application.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (K", "request_sample": "GET \/application.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/60.0.3112.90 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/application.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (K", "evidence": { "request_sample": "GET \/application.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/60.0.3112.90 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/application.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (K", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "dccbd9a1f5a3613aed08db4d4dc41b75107899ff", "protocol_details": { "payload_preview": "GET \/application.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (K", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/application.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (K", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/application.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (K", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/application.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (K", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /logs/error.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Fir Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /logs/error.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Fir Requête brute (extrait) GET /logs/error.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 206, "payload_entropy": 5.286705245383805, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "e55b40f9d8eb0831bd2f3061ed255bfd", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/logs\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko\/20100101 Fir", "request_sample": "GET \/logs\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko\/20100101 Firefox\/41.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/logs\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko\/20100101 Fir", "evidence": { "request_sample": "GET \/logs\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko\/20100101 Firefox\/41.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/logs\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko\/20100101 Fir", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9139cf75c75bf01ffaacd40bde0bdc67aab4fc3a", "protocol_details": { "payload_preview": "GET \/logs\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko\/20100101 Fir", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/logs\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko\/20100101 Fir", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/logs\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko\/20100101 Fir", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/logs\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko\/20100101 Fir", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /logs/application.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /logs/application.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML Requête brute (extrait) GET /logs/application.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.145 Safari/537.36 Vivaldi/2.6.1566.51 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 265, "payload_entropy": 5.426807497419294, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "81a9fcdad93fb7c126fd7be73c72edb2", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/logs\/application.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML", "request_sample": "GET \/logs\/application.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.145 Safari\/537.36 Vivaldi\/2.6.1566.51\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: ", "payload_snippet": "GET \/logs\/application.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML", "evidence": { "request_sample": "GET \/logs\/application.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.145 Safari\/537.36 Vivaldi\/2.6.1566.51\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: ", "payload_snippet": "GET \/logs\/application.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "af0212d0ffa9169c97e80c9f5a9b04d995e7b537", "protocol_details": { "payload_preview": "GET \/logs\/application.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/logs\/application.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/logs\/application.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/logs\/application.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /debug.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Geck Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /debug.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Geck Requête brute (extrait) GET /debug.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 233, "payload_entropy": 5.460923168220043, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d82ef5f4fa13e26fac7f2c83b4514e6f", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Geck", "request_sample": "GET \/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Geck", "evidence": { "request_sample": "GET \/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Geck", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5166b74bfed6a092fbd211333dc2e9004734b19e", "protocol_details": { "payload_preview": "GET \/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Geck", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Geck", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Geck", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Geck", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /logs/app.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHT Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /logs/app.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHT Requête brute (extrait) GET /logs/app.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 246, "payload_entropy": 5.406677117271805, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "a09e0b4cf6c4ae9f9f4e26d8d1f431ff", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/logs\/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHT", "request_sample": "GET \/logs\/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/logs\/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHT", "evidence": { "request_sample": "GET \/logs\/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/logs\/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHT", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "454e97295d8dbf27a7340848f29b95046cd68aac", "protocol_details": { "payload_preview": "GET \/logs\/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHT", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/logs\/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHT", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/logs\/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHT", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/logs\/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHT", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /log/error.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 9; LM-G710) AppleWebKit/537.36 (KHTM Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /log/error.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 9; LM-G710) AppleWebKit/537.36 (KHTM Requête brute (extrait) GET /log/error.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 9; LM-G710) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 253, "payload_entropy": 5.394767409498672, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ec6e1e7882b2e97a53a44dbad2eeedf8", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/log\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LM-G710) AppleWebKit\/537.36 (KHTM", "request_sample": "GET \/log\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LM-G710) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/log\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LM-G710) AppleWebKit\/537.36 (KHTM", "evidence": { "request_sample": "GET \/log\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LM-G710) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/log\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LM-G710) AppleWebKit\/537.36 (KHTM", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "89ea698d32c4f27543e3d9d8e6b8b9a74e32e906", "protocol_details": { "payload_preview": "GET \/log\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LM-G710) AppleWebKit\/537.36 (KHTM", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/log\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LM-G710) AppleWebKit\/537.36 (KHTM", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/log\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LM-G710) AppleWebKit\/537.36 (KHTM", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/log\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LM-G710) AppleWebKit\/537.36 (KHTM", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /.htaccess HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /.htaccess HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Requête brute (extrait) GET /.htaccess HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 197, "payload_entropy": 5.27075370547498, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "95bfbda1f23185e45d37a1274e8c6f4b", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/.htaccess HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko", "request_sample": "GET \/.htaccess HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.htaccess HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko", "evidence": { "request_sample": "GET \/.htaccess HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.htaccess HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7f24a3697ce11acd8b85e343f41f76c139683bd7", "protocol_details": { "payload_preview": "GET \/.htaccess HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/.htaccess HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/.htaccess HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/.htaccess HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /.htpasswd HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Android 6.0.1; Mobile; rv:48.0) Gecko/48.0 Firefox/48.0 Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /.htpasswd HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Android 6.0.1; Mobile; rv:48.0) Gecko/48.0 Firefox/48.0 Requête brute (extrait) GET /.htpasswd HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Android 6.0.1; Mobile; rv:48.0) Gecko/48.0 Firefox/48.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 197, "payload_entropy": 5.27827786132832, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "984413f99ccbd34d501381295b7f1a7a", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Android 6.0.1; Mobile; rv:48.0) Gecko\/48.0 Firefox\/48.0", "request_sample": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Android 6.0.1; Mobile; rv:48.0) Gecko\/48.0 Firefox\/48.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Android 6.0.1; Mobile; rv:48.0) Gecko\/48.0 Firefox\/48.0", "evidence": { "request_sample": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Android 6.0.1; Mobile; rv:48.0) Gecko\/48.0 Firefox\/48.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Android 6.0.1; Mobile; rv:48.0) Gecko\/48.0 Firefox\/48.0", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6c6bc90acbf1b61e953c0eafeb06b5200a4cbc29", "protocol_details": { "payload_preview": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Android 6.0.1; Mobile; rv:48.0) Gecko\/48.0 Firefox\/48.0", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Android 6.0.1; Mobile; rv:48.0) Gecko\/48.0 Firefox\/48.0", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Android 6.0.1; Mobile; rv:48.0) Gecko\/48.0 Firefox\/48.0", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Android 6.0.1; Mobile; rv:48.0) Gecko\/48.0 Firefox\/48.0", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /.pypirc HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /.pypirc HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Requête brute (extrait) GET /.pypirc HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 209, "payload_entropy": 5.259530959928265, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "cebde235b5d83e1fcc54bdf70b0a8c7d", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/.pypirc HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko\/20100101 ", "request_sample": "GET \/.pypirc HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko\/20100101 Firefox\/40.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.pypirc HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko\/20100101", "evidence": { "request_sample": "GET \/.pypirc HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko\/20100101 Firefox\/40.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.pypirc HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko\/20100101", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7dd5e185b0a3a6db0f5c9df4ae6cd33863d9635a", "protocol_details": { "payload_preview": "GET \/.pypirc HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko\/20100101", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/.pypirc HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko\/20100101", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/.pypirc HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko\/20100101", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/.pypirc HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko\/20100101", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /logs/debug.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Ge Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /logs/debug.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Ge Requête brute (extrait) GET /logs/debug.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 226, "payload_entropy": 5.325733353981119, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "1ecc7ae6da7e878fc95af61bf9a72f76", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/logs\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Ge", "request_sample": "GET \/logs\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko\/2009042316 Firefox\/3.0.10\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/logs\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Ge", "evidence": { "request_sample": "GET \/logs\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko\/2009042316 Firefox\/3.0.10\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/logs\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Ge", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "49f1fd1f0b3c41c8089c2cab00b6264301a65631", "protocol_details": { "payload_preview": "GET \/logs\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Ge", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/logs\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Ge", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/logs\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Ge", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/logs\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Ge", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /.gitconfig HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 6 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /.gitconfig HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML Requête brute (extrait) GET /.gitconfig HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 245, "payload_entropy": 5.408050171440059, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 6, "anomaly_count": 0, "campaign_key": "fc3e37af13d7b5016a9d426e6d9b087d328253b0", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d7de1d53575c0b62f0b4358bed2fec93", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/.gitconfig HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML", "request_sample": "GET \/.gitconfig HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.gitconfig HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML", "evidence": { "request_sample": "GET \/.gitconfig HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.gitconfig HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "28feac3e30671b91e7adff1617f0fc62e9a83555", "protocol_details": { "payload_preview": "GET \/.gitconfig HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/.gitconfig HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/.gitconfig HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/.gitconfig HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /nginx.config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G935U) AppleWebKit/537.36 ( Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 6 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /nginx.config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G935U) AppleWebKit/537.36 ( Requête brute (extrait) GET /nginx.config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G935U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 257, "payload_entropy": 5.411093862257546, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 6, "anomaly_count": 0, "campaign_key": "fc3e37af13d7b5016a9d426e6d9b087d328253b0", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "28679192b3c276b67d10212b444136fd", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/nginx.config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935U) AppleWebKit\/537.36 (", "request_sample": "GET \/nginx.config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/nginx.config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935U) AppleWebKit\/537.36 (", "evidence": { "request_sample": "GET \/nginx.config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/nginx.config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935U) AppleWebKit\/537.36 (", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "18732eb512f14f2d5a958a155cf0604e98fa4a38", "protocol_details": { "payload_preview": "GET \/nginx.config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935U) AppleWebKit\/537.36 (", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/nginx.config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935U) AppleWebKit\/537.36 (", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/nginx.config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935U) AppleWebKit\/537.36 (", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/nginx.config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935U) AppleWebKit\/537.36 (", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /server.xml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/605.1.1 Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /server.xml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/605.1.1 Requête brute (extrait) GET /server.xml HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.2 Safari/605.1.15 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 249, "payload_entropy": 5.395892621320205, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c0ca6722202137e0f5efa940dd74f9a7", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/server.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/605.1.1", "request_sample": "GET \/server.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.2 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/server.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/605.1.1", "evidence": { "request_sample": "GET \/server.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.2 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/server.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/605.1.1", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8e0feb162d8f9cc154692409adbe36ae78868569", "protocol_details": { "payload_preview": "GET \/server.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/605.1.1", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/server.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/605.1.1", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/server.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/605.1.1", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/server.xml HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/605.1.1", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /nginx.conf HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/605.1.1 Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /nginx.conf HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/605.1.1 Requête brute (extrait) GET /nginx.conf HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1 Safari/605.1.15 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 247, "payload_entropy": 5.34972324078185, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3b6f2e85d60643af400e7b4067de2e7e", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/nginx.conf HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/605.1.1", "request_sample": "GET \/nginx.conf HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/11.1 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/nginx.conf HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/605.1.1", "evidence": { "request_sample": "GET \/nginx.conf HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/11.1 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/nginx.conf HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/605.1.1", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ed6e5ae4ad9c63f3f4d3c5795cdcbd71cd0e16e3", "protocol_details": { "payload_preview": "GET \/nginx.conf HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/605.1.1", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/nginx.conf HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/605.1.1", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/nginx.conf HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/605.1.1", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/nginx.conf HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/605.1.1", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /log/debug.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHT Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /log/debug.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHT Requête brute (extrait) GET /log/debug.log HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.87 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 246, "payload_entropy": 5.43059770485801, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "87c59facb2424026e20b8864b9abbe4c", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/log\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHT", "request_sample": "GET \/log\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/log\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHT", "evidence": { "request_sample": "GET \/log\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/log\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHT", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5b21adfc4149d2acebe1a761239a8f58b06b5ebe", "protocol_details": { "payload_preview": "GET \/log\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHT", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/log\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHT", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/log\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHT", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/log\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHT", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /.npmrc HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, li Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /.npmrc HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, li Requête brute (extrait) GET /.npmrc HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 241, "payload_entropy": 5.401273388334311, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "1240bb101d0d8d8a2cc73d06e1704da6", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/.npmrc HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, li", "request_sample": "GET \/.npmrc HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.npmrc HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, li", "evidence": { "request_sample": "GET \/.npmrc HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.npmrc HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, li", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d4d2f3d6faeeb9abb8dbfbdb1d2907889c7ae04f", "protocol_details": { "payload_preview": "GET \/.npmrc HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, li", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/.npmrc HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, li", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/.npmrc HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, li", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/.npmrc HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, li", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe net_flood websphere_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /.netrc HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: NetSurf/1.2 (NetBSD; amd64) Accept-Charset: utf-8 Accept-Encoding: gz Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 51 Confiance : Confiance 100 % — 4 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /.netrc HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: NetSurf/1.2 (NetBSD; amd64) Accept-Charset: utf-8 Accept-Encoding: gz Requête brute (extrait) GET /.netrc HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: NetSurf/1.2 (NetBSD; amd64) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 153, "payload_entropy": 5.214311824559732, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 51, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5d7a54c39cf9421e33ae6b4b572905b0b1c15fb7", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 51 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "e44a83627f597fee921d9796143ece78", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 51 }, "payload_preview": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: NetSurf\/1.2 (NetBSD; amd64)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gz", "request_sample": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: NetSurf\/1.2 (NetBSD; amd64)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: NetSurf\/1.2 (NetBSD; amd64)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gz", "evidence": { "request_sample": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: NetSurf\/1.2 (NetBSD; amd64)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: NetSurf\/1.2 (NetBSD; amd64)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gz", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8cdd6b6f49bba1ba784a7832b1949b370aa9d4d6", "protocol_details": { "payload_preview": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: NetSurf\/1.2 (NetBSD; amd64)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gz", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: NetSurf\/1.2 (NetBSD; amd64)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gz", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 51 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: NetSurf\/1.2 (NetBSD; amd64)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gz", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: NetSurf\/1.2 (NetBSD; amd64)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gz", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /web.config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_3 like Mac OS X) AppleWebKit/ Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 6 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /web.config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_3 like Mac OS X) AppleWebKit/ Requête brute (extrait) GET /web.config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/76.0.3809.81 Mobile/15E148 Safari/605.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connec Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 271, "payload_entropy": 5.405387827646316, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 6, "anomaly_count": 0, "campaign_key": "fc3e37af13d7b5016a9d426e6d9b087d328253b0", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ca2ad170ac1acc756dd3e8f6a05a79f5", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3 like Mac OS X) AppleWebKit\/", "request_sample": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnec", "payload_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3 like Mac OS X) AppleWebKit\/", "evidence": { "request_sample": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnec", "payload_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3 like Mac OS X) AppleWebKit\/", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d7be007be832f9ceabe9d1f0c532133df1709748", "protocol_details": { "payload_preview": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3 like Mac OS X) AppleWebKit\/", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3 like Mac OS X) AppleWebKit\/", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3 like Mac OS X) AppleWebKit\/", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3 like Mac OS X) AppleWebKit\/", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /.ssh/authorized_keys HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537 Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /.ssh/authorized_keys HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537 Requête brute (extrait) GET /.ssh/authorized_keys HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 OPR/62.0.3331.117 Accept-Charset: utf-8 Accept-Encoding: gzip Conn Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 273, "payload_entropy": 5.473540167708483, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "173d21e5f5fe551ff7aa6daeea82bcd4", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/.ssh\/authorized_keys HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "request_sample": "GET \/.ssh\/authorized_keys HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/62.0.3331.117\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConn", "payload_snippet": "GET \/.ssh\/authorized_keys HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "evidence": { "request_sample": "GET \/.ssh\/authorized_keys HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/62.0.3331.117\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConn", "payload_snippet": "GET \/.ssh\/authorized_keys HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5a33574ddf7d0a92e06745c3beee6db83f365e10", "protocol_details": { "payload_preview": "GET \/.ssh\/authorized_keys HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/.ssh\/authorized_keys HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/.ssh\/authorized_keys HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/.ssh\/authorized_keys HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe net_flood websphere_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /id_rsa HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: everyfeed-spider/2.0 (http://www.everyfeed.com) Accept-Charset: utf-8 Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 51 Confiance : Confiance 100 % — 4 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /id_rsa HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: everyfeed-spider/2.0 (http://www.everyfeed.com) Accept-Charset: utf-8 Requête brute (extrait) GET /id_rsa HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: everyfeed-spider/2.0 (http://www.everyfeed.com) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 173, "payload_entropy": 5.162969252313586, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 51, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5d7a54c39cf9421e33ae6b4b572905b0b1c15fb7", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0103", "pat-0600" ], "matched_pattern_names": [ "LFI Double-dot bypass", "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0103", "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 51 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "502133cee1c9af16408586fa223b9da0", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 51 }, "payload_preview": "GET \/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: everyfeed-spider\/2.0 (http:\/\/www.everyfeed.com)\r\nAccept-Charset: utf-8\r", "request_sample": "GET \/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: everyfeed-spider\/2.0 (http:\/\/www.everyfeed.com)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: everyfeed-spider\/2.0 (http:\/\/www.everyfeed.com)\r\nAccept-Charset: utf-8", "evidence": { "request_sample": "GET \/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: everyfeed-spider\/2.0 (http:\/\/www.everyfeed.com)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: everyfeed-spider\/2.0 (http:\/\/www.everyfeed.com)\r\nAccept-Charset: utf-8", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "eea68e6885515c085e55fe1b100fd19288980a92", "protocol_details": { "payload_preview": "GET \/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: everyfeed-spider\/2.0 (http:\/\/www.everyfeed.com)\r\nAccept-Charset: utf-8", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: everyfeed-spider\/2.0 (http:\/\/www.everyfeed.com)\r\nAccept-Charset: utf-8", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 51 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: everyfeed-spider\/2.0 (http:\/\/www.everyfeed.com)\r\nAccept-Charset: utf-8", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: everyfeed-spider\/2.0 (http:\/\/www.everyfeed.com)\r\nAccept-Charset: utf-8", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /.ssh/id_rsa HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0 Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /.ssh/id_rsa HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0 Requête brute (extrait) GET /.ssh/id_rsa HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch; NOKIA; Lumia 920) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 243, "payload_entropy": 5.381077265831556, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b9daeec31e41df586fd24472264165a5", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident\/6.0", "request_sample": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident\/6.0; IEMobile\/10.0; ARM; Touch; NOKIA; Lumia 920)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident\/6.0", "evidence": { "request_sample": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident\/6.0; IEMobile\/10.0; ARM; Touch; NOKIA; Lumia 920)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident\/6.0", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "266628859c6d34ebefff882f03c83b7cefa7ba7a", "protocol_details": { "payload_preview": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident\/6.0", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident\/6.0", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident\/6.0", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident\/6.0", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /private_key.pem HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 7.0; KIICAA POWER) AppleWebKit/537 Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /private_key.pem HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 7.0; KIICAA POWER) AppleWebKit/537 Requête brute (extrait) GET /private_key.pem HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 7.0; KIICAA POWER) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.101 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clo Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 262, "payload_entropy": 5.487679412401257, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c33246815af42e8b8c2c49995025fa51", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/private_key.pem HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; KIICAA POWER) AppleWebKit\/537", "request_sample": "GET \/private_key.pem HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; KIICAA POWER) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo", "payload_snippet": "GET \/private_key.pem HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; KIICAA POWER) AppleWebKit\/537", "evidence": { "request_sample": "GET \/private_key.pem HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; KIICAA POWER) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo", "payload_snippet": "GET \/private_key.pem HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; KIICAA POWER) AppleWebKit\/537", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c0bd11e5175a4fd41b1f1cad7125ee4cd730c9c8", "protocol_details": { "payload_preview": "GET \/private_key.pem HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; KIICAA POWER) AppleWebKit\/537", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/private_key.pem HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; KIICAA POWER) AppleWebKit\/537", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/private_key.pem HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; KIICAA POWER) AppleWebKit\/537", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/private_key.pem HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; KIICAA POWER) AppleWebKit\/537", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /.bash_history HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 6 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /.bash_history HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident Requête brute (extrait) GET /.bash_history HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 216, "payload_entropy": 5.340872769119221, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 6, "anomaly_count": 0, "campaign_key": "b822175e91cd79d15217cf8bf492e70bb1c260b2", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "111ac461663614dcee047dc102c053c3", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/.bash_history HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident", "request_sample": "GET \/.bash_history HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident\/5.0; IEMobile\/9.0)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.bash_history HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident", "evidence": { "request_sample": "GET \/.bash_history HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident\/5.0; IEMobile\/9.0)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.bash_history HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "64f150c2b31b97e1d802aa6fc743dcf02928f678", "protocol_details": { "payload_preview": "GET \/.bash_history HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/.bash_history HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/.bash_history HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/.bash_history HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "tor_exit_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /server.key HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /server.key HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /server.key HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36 OPR/60.0.3255.109 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clo Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 262, "payload_entropy": 5.444559475470036, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "bee6c48291207a50e4348316de1bc730", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/server.key HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML,", "request_sample": "GET \/server.key HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36 OPR\/60.0.3255.109\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo", "payload_snippet": "GET \/server.key HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML,", "evidence": { "request_sample": "GET \/server.key HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36 OPR\/60.0.3255.109\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo", "payload_snippet": "GET \/server.key HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a251de9101f52fc169aa51e106d15da9d0ad3b11", "protocol_details": { "payload_preview": "GET \/server.key HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML,", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/server.key HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML,", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/server.key HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML,", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/server.key HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML,", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /private.key HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /private.key HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit Requête brute (extrait) GET /private.key HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/74.0.3729.155 Mobile/15E148 Safari/605.1 Accept-Charset: utf-8 Accept-Encoding: gzip Conn Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 273, "payload_entropy": 5.416530595418716, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "0dcdae74a8fdeda32226e1dc05f99f00", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/private.key HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit", "request_sample": "GET \/private.key HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/74.0.3729.155 Mobile\/15E148 Safari\/605.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConn", "payload_snippet": "GET \/private.key HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit", "evidence": { "request_sample": "GET \/private.key HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/74.0.3729.155 Mobile\/15E148 Safari\/605.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConn", "payload_snippet": "GET \/private.key HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "940edfd1c43cc2e64c7589c94aee1c7206b435e5", "protocol_details": { "payload_preview": "GET \/private.key HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/private.key HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/private.key HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/private.key HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /server.pem HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 9; SAMSUNG SM-G960U Build/PPR1.180610.0 Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /server.pem HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 9; SAMSUNG SM-G960U Build/PPR1.180610.0 Requête brute (extrait) GET /server.pem HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 9; SAMSUNG SM-G960U Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/9.4 Chrome/67.0.3396.87 Mobile Safari/537.36 Accept-Charset: utf-8 A Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 299, "payload_entropy": 5.518864347260299, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4774f44996e78f1aa6af3614c76bd34f", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/server.pem HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G960U Build\/PPR1.180610.0", "request_sample": "GET \/server.pem HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G960U Build\/PPR1.180610.011) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBrowser\/9.4 Chrome\/67.0.3396.87 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nA", "payload_snippet": "GET \/server.pem HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G960U Build\/PPR1.180610.0", "evidence": { "request_sample": "GET \/server.pem HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G960U Build\/PPR1.180610.011) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBrowser\/9.4 Chrome\/67.0.3396.87 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nA", "payload_snippet": "GET \/server.pem HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G960U Build\/PPR1.180610.0", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "acae5a7324a18ee5e7a26bd370f23f2973b10937", "protocol_details": { "payload_preview": "GET \/server.pem HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G960U Build\/PPR1.180610.0", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/server.pem HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G960U Build\/PPR1.180610.0", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/server.pem HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G960U Build\/PPR1.180610.0", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/server.pem HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G960U Build\/PPR1.180610.0", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe net_flood websphere_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /sendgrid.min.js HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: SonyEricssonT68/R201A Accept-Charset: utf-8 Accept-Encoding: Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 51 Confiance : Confiance 100 % — 4 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /sendgrid.min.js HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: SonyEricssonT68/R201A Accept-Charset: utf-8 Accept-Encoding: Requête brute (extrait) GET /sendgrid.min.js HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: SonyEricssonT68/R201A Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 156, "payload_entropy": 5.132963335883482, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 51, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5d7a54c39cf9421e33ae6b4b572905b0b1c15fb7", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 51 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "05cffac2bd8eddd5bb359a3236b1acf2", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 51 }, "payload_preview": "GET \/sendgrid.min.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: SonyEricssonT68\/R201A\r\nAccept-Charset: utf-8\r\nAccept-Encoding:", "request_sample": "GET \/sendgrid.min.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: SonyEricssonT68\/R201A\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.min.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: SonyEricssonT68\/R201A\r\nAccept-Charset: utf-8\r\nAccept-Encoding:", "evidence": { "request_sample": "GET \/sendgrid.min.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: SonyEricssonT68\/R201A\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.min.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: SonyEricssonT68\/R201A\r\nAccept-Charset: utf-8\r\nAccept-Encoding:", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bcaef19723e3c68d60b79381b717e9edbff51e5a", "protocol_details": { "payload_preview": "GET \/sendgrid.min.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: SonyEricssonT68\/R201A\r\nAccept-Charset: utf-8\r\nAccept-Encoding:", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/sendgrid.min.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: SonyEricssonT68\/R201A\r\nAccept-Charset: utf-8\r\nAccept-Encoding:", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 51 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/sendgrid.min.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: SonyEricssonT68\/R201A\r\nAccept-Charset: utf-8\r\nAccept-Encoding:", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/sendgrid.min.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: SonyEricssonT68\/R201A\r\nAccept-Charset: utf-8\r\nAccept-Encoding:", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /sendgrid.js HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 9; Moto Z3 Play) AppleWebKit/537.36 (K Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /sendgrid.js HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 9; Moto Z3 Play) AppleWebKit/537.36 (K Requête brute (extrait) GET /sendgrid.js HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 9; Moto Z3 Play) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 256, "payload_entropy": 5.424969479838208, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "36339365e7c34ca0296a6ef0328cdd5f", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Moto Z3 Play) AppleWebKit\/537.36 (K", "request_sample": "GET \/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Moto Z3 Play) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Moto Z3 Play) AppleWebKit\/537.36 (K", "evidence": { "request_sample": "GET \/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Moto Z3 Play) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Moto Z3 Play) AppleWebKit\/537.36 (K", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "18cc55fecf3007ff2866d461873b20d745edc9fa", "protocol_details": { "payload_preview": "GET \/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Moto Z3 Play) AppleWebKit\/537.36 (K", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Moto Z3 Play) AppleWebKit\/537.36 (K", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Moto Z3 Play) AppleWebKit\/537.36 (K", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Moto Z3 Play) AppleWebKit\/537.36 (K", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe net_flood redis_config_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /sendgrid.config.js HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: LG-LX550 AU-MIC-LX550/2.0 MMP/2.0 Profile/MIDP-2.0 Configur Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 51 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /sendgrid.config.js HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: LG-LX550 AU-MIC-LX550/2.0 MMP/2.0 Profile/MIDP-2.0 Configur Requête brute (extrait) GET /sendgrid.config.js HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: LG-LX550 AU-MIC-LX550/2.0 MMP/2.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 211, "payload_entropy": 5.266474320783812, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 51, "tag_count": 5, "anomaly_count": 0, "campaign_key": "cbfd075d79c49e90bf5931bc85b0ea45b7d3b839", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 51 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b9b1fe078ac0ac8bdb5e5aaa6013df4e", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 51 }, "payload_preview": "GET \/sendgrid.config.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: LG-LX550 AU-MIC-LX550\/2.0 MMP\/2.0 Profile\/MIDP-2.0 Configur", "request_sample": "GET \/sendgrid.config.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: LG-LX550 AU-MIC-LX550\/2.0 MMP\/2.0 Profile\/MIDP-2.0 Configuration\/CLDC-1.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.config.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: LG-LX550 AU-MIC-LX550\/2.0 MMP\/2.0 Profile\/MIDP-2.0 Configur", "evidence": { "request_sample": "GET \/sendgrid.config.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: LG-LX550 AU-MIC-LX550\/2.0 MMP\/2.0 Profile\/MIDP-2.0 Configuration\/CLDC-1.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.config.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: LG-LX550 AU-MIC-LX550\/2.0 MMP\/2.0 Profile\/MIDP-2.0 Configur", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "473fe99ffd4b7335f49fd9e39cbc2aac20add406", "protocol_details": { "payload_preview": "GET \/sendgrid.config.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: LG-LX550 AU-MIC-LX550\/2.0 MMP\/2.0 Profile\/MIDP-2.0 Configur", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/sendgrid.config.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: LG-LX550 AU-MIC-LX550\/2.0 MMP\/2.0 Profile\/MIDP-2.0 Configur", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 51 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/sendgrid.config.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: LG-LX550 AU-MIC-LX550\/2.0 MMP\/2.0 Profile\/MIDP-2.0 Configur", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/sendgrid.config.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: LG-LX550 AU-MIC-LX550\/2.0 MMP\/2.0 Profile\/MIDP-2.0 Configur", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "net_flood", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /src/sendgrid.js HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (compatible; Konqueror/4.2; Linux) KHTML/4.2.4 (li Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /src/sendgrid.js HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (compatible; Konqueror/4.2; Linux) KHTML/4.2.4 (li Requête brute (extrait) GET /src/sendgrid.js HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (compatible; Konqueror/4.2; Linux) KHTML/4.2.4 (like Gecko) Slackware/13.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 221, "payload_entropy": 5.350910189791123, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ba4fbcceafd79ac82277938a76688e40", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/src\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.2; Linux) KHTML\/4.2.4 (li", "request_sample": "GET \/src\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.2; Linux) KHTML\/4.2.4 (like Gecko) Slackware\/13.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/src\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.2; Linux) KHTML\/4.2.4 (li", "evidence": { "request_sample": "GET \/src\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.2; Linux) KHTML\/4.2.4 (like Gecko) Slackware\/13.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/src\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.2; Linux) KHTML\/4.2.4 (li", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7fb694e355b9398f1b1a746856962cdf2013f657", "protocol_details": { "payload_preview": "GET \/src\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.2; Linux) KHTML\/4.2.4 (li", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/src\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.2; Linux) KHTML\/4.2.4 (li", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/src\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.2; Linux) KHTML\/4.2.4 (li", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/src\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.2; Linux) KHTML\/4.2.4 (li", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /sendgrid-config.js HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.3 Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 6 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /sendgrid-config.js HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.3 Requête brute (extrait) GET /sendgrid-config.js HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36 OPR/60.0.3255.70 Accept-Charset: utf-8 Accept-Encoding: gzip Connect Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 270, "payload_entropy": 5.4359610073253215, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 6, "anomaly_count": 0, "campaign_key": "fc3e37af13d7b5016a9d426e6d9b087d328253b0", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "5880218a01ea2504780b8e8537505be3", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/sendgrid-config.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "request_sample": "GET \/sendgrid-config.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36 OPR\/60.0.3255.70\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnect", "payload_snippet": "GET \/sendgrid-config.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "evidence": { "request_sample": "GET \/sendgrid-config.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36 OPR\/60.0.3255.70\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnect", "payload_snippet": "GET \/sendgrid-config.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "769bf89ab18e9ebe97fdb56ffa6e6285c30a87de", "protocol_details": { "payload_preview": "GET \/sendgrid-config.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/sendgrid-config.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/sendgrid-config.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/sendgrid-config.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /static/js/sendgrid.js HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_3 like Mac OS X) A Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /static/js/sendgrid.js HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_3 like Mac OS X) A Requête brute (extrait) GET /static/js/sendgrid.js HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/71.0.3578.89 Mobile/15E148 Safari/605.1 Accept-Charset: utf-8 Accept-Encoding: g Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 282, "payload_entropy": 5.417517501109619, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "077969417a8313076183364f4cd60377", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/static\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3 like Mac OS X) A", "request_sample": "GET \/static\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/71.0.3578.89 Mobile\/15E148 Safari\/605.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: g", "payload_snippet": "GET \/static\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3 like Mac OS X) A", "evidence": { "request_sample": "GET \/static\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/71.0.3578.89 Mobile\/15E148 Safari\/605.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: g", "payload_snippet": "GET \/static\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3 like Mac OS X) A", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "23606e54159ad8c10ac9260db3874f4787acfa9b", "protocol_details": { "payload_preview": "GET \/static\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3 like Mac OS X) A", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/static\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3 like Mac OS X) A", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/static\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3 like Mac OS X) A", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/static\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3 like Mac OS X) A", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /js/sendgrid.js HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /js/sendgrid.js HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /js/sendgrid.js HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 244, "payload_entropy": 5.447553372524188, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "e82848a7ca48d49f52d95ea4f995e13e", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,", "request_sample": "GET \/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.109 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,", "evidence": { "request_sample": "GET \/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.109 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "32f659658f6a76e423cd1d6f078c4d32433874f4", "protocol_details": { "payload_preview": "GET \/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /public/js/sendgrid.js HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWeb Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /public/js/sendgrid.js HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWeb Requête brute (extrait) GET /public/js/sendgrid.js HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3792.0 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 260, "payload_entropy": 5.452234114869751, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4e07d2a395eda72f53440d58d57f3e35", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/public\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWeb", "request_sample": "GET \/public\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3792.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close", "payload_snippet": "GET \/public\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWeb", "evidence": { "request_sample": "GET \/public\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3792.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close", "payload_snippet": "GET \/public\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWeb", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5059b341d62cb0040566ca3264d6eea11c5b4fc9", "protocol_details": { "payload_preview": "GET \/public\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWeb", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/public\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWeb", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/public\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWeb", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/public\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWeb", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /config/sendgrid.js HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.3 Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 6 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /config/sendgrid.js HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.3 Requête brute (extrait) GET /config/sendgrid.js HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.10240&Win32 Accept-Charset: utf-8 Accept-Encoding: gzip Conn Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 273, "payload_entropy": 5.426357760900694, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 6, "anomaly_count": 0, "campaign_key": "fc3e37af13d7b5016a9d426e6d9b087d328253b0", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4eb7f3eb9cc269adb1db0cde2bec7430", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/config\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "request_sample": "GET \/config\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.135 Safari\/537.36 Edge\/12.10240&Win32\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConn", "payload_snippet": "GET \/config\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "evidence": { "request_sample": "GET \/config\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.135 Safari\/537.36 Edge\/12.10240&Win32\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConn", "payload_snippet": "GET \/config\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a63bf99defabff7beed0997169f5c10e99cf6ba7", "protocol_details": { "payload_preview": "GET \/config\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/config\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/config\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/config\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /assets/js/sendgrid.js HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 ( Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /assets/js/sendgrid.js HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 ( Requête brute (extrait) GET /assets/js/sendgrid.js HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 249, "payload_entropy": 5.438071021065147, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4be8560d3a7f4208b37751bd9d293a73", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/assets\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (", "request_sample": "GET \/assets\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/56.0.2924.87 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/assets\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (", "evidence": { "request_sample": "GET \/assets\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/56.0.2924.87 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/assets\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2e67b6adb9093b6649c37244e8833f0fc06b7529", "protocol_details": { "payload_preview": "GET \/assets\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/assets\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/assets\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/assets\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /sendgrid_helper.py HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) Ap Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /sendgrid_helper.py HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) Ap Requête brute (extrait) GET /sendgrid_helper.py HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 MicroMessenger/7.0.5(0x17000523) NetType/4G Language/zh_CN Accept-Charset: Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 308, "payload_entropy": 5.446585603003002, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "340d25c99b9856a59ca771000e0a0573", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/sendgrid_helper.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) Ap", "request_sample": "GET \/sendgrid_helper.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148 MicroMessenger\/7.0.5(0x17000523) NetType\/4G Language\/zh_CN\r\nAccept-Charset:", "payload_snippet": "GET \/sendgrid_helper.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) Ap", "evidence": { "request_sample": "GET \/sendgrid_helper.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148 MicroMessenger\/7.0.5(0x17000523) NetType\/4G Language\/zh_CN\r\nAccept-Charset:", "payload_snippet": "GET \/sendgrid_helper.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) Ap", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6d6be1baf37950093691943d6f7c478ae81ee4c5", "protocol_details": { "payload_preview": "GET \/sendgrid_helper.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) Ap", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/sendgrid_helper.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) Ap", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/sendgrid_helper.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) Ap", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/sendgrid_helper.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) Ap", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 59
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /sendgrid.py HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 59 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /sendgrid.py HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit Requête brute (extrait) GET /sendgrid.py HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/16B92 MicroMessenger/7.0.5(0x17000523) NetType/WIFI Language/zh_CN Accept-Charset: utf-8 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 300, "payload_entropy": 5.494143576132475, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "e209513b8b3ab78e88cba9328a7d8378", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 59 }, "payload_preview": "GET \/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit", "request_sample": "GET \/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/16B92 MicroMessenger\/7.0.5(0x17000523) NetType\/WIFI Language\/zh_CN\r\nAccept-Charset: utf-8\r\n", "payload_snippet": "GET \/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit", "evidence": { "request_sample": "GET \/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/16B92 MicroMessenger\/7.0.5(0x17000523) NetType\/WIFI Language\/zh_CN\r\nAccept-Charset: utf-8\r\n", "payload_snippet": "GET \/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d6a86ca81e081dc9921787099c21ae20949929ee", "protocol_details": { "payload_preview": "GET \/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 59 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 59, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:30:15 UTC	TCP	9443 · HTTPS	https	Flood / DDoS http flood · via HTTPS:9443 · (tentative d'exploit)	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe net_flood websphere_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /mailer/sendgrid.js HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: msnbot/1.1 ( http://search.msn.com/msnbot.htm) Accept-Char Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 51 Confiance : Confiance 100 % — 4 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /mailer/sendgrid.js HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: msnbot/1.1 ( http://search.msn.com/msnbot.htm) Accept-Char Requête brute (extrait) GET /mailer/sendgrid.js HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: msnbot/1.1 ( http://search.msn.com/msnbot.htm) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 184, "payload_entropy": 5.085410262178293, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "ID", "dst_port": 9443, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 51, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5d7a54c39cf9421e33ae6b4b572905b0b1c15fb7", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0103", "pat-0600" ], "matched_pattern_names": [ "LFI Double-dot bypass", "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0103", "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 51 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "15ce535ef2855fdd37a46c1b188085d5", "path_pattern_hash": "4d7cc3b45cbf3e5b6ce484f88d569789" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 51 }, "payload_preview": "GET \/mailer\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: msnbot\/1.1 ( http:\/\/search.msn.com\/msnbot.htm)\r\nAccept-Char", "request_sample": "GET \/mailer\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: msnbot\/1.1 ( http:\/\/search.msn.com\/msnbot.htm)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/mailer\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: msnbot\/1.1 ( http:\/\/search.msn.com\/msnbot.htm)\r\nAccept-Char", "evidence": { "request_sample": "GET \/mailer\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: msnbot\/1.1 ( http:\/\/search.msn.com\/msnbot.htm)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/mailer\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: msnbot\/1.1 ( http:\/\/search.msn.com\/msnbot.htm)\r\nAccept-Char", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4ba435e48057564dd5b938429645d41c1a5e6be5", "protocol_details": { "payload_preview": "GET \/mailer\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: msnbot\/1.1 ( http:\/\/search.msn.com\/msnbot.htm)\r\nAccept-Char", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/mailer\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: msnbot\/1.1 ( http:\/\/search.msn.com\/msnbot.htm)\r\nAccept-Char", "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 51 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/mailer\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: msnbot\/1.1 ( http:\/\/search.msn.com\/msnbot.htm)\r\nAccept-Char", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/mailer\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: msnbot\/1.1 ( http:\/\/search.msn.com\/msnbot.htm)\r\nAccept-Char", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }

34.101.45.12

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence