Renseignement sur les menaces

Indonésie

34.101.59.109

FAI Google LLC Première vue 15/06/2026 12:37 UTC Dernière vue 15/06/2026 12:37 UTC Risque Critique

Période analysée : 2026-06-12 → 2026-06-19

Activité suspecte — risque 66/100 (Élevé) — MITRE T1499 — confiance 100 % — via HTTP — multi-protocole (2 protocoles · 5 min)

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Critique · Risque max (7j) Critique

Synthèse exécutive

Profil de menace

Score de risque 91/100 Critique

Première observation 15/06/2026 12:37 UTC

Dernière observation 15/06/2026 12:37 UTC

Événements (période) 854

MITRE ATT&CK principal TA0007 432 occurrences

Activité suspecte — risque 66/100 (Élevé) — MITRE T1499 — confiance 100 % — via HTTP — multi-protocole (2 protocoles · 5 min)

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « http_flood » (signaux protocolaires) · confiance 100%

Confiance 100 % — Score WAF 88 · Bonus corrélation +8 · 3 tag(s) WAF

Comparaison ASN / FAI

ASN 396982 · 34.101.32.0/19 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 854 événements sur la période pour cette IP.

162.216.150.202 Scanner web 19/06/2026 06:39 UTC
147.185.133.30 Scanner web 19/06/2026 06:38 UTC
162.216.149.105 Scanner web 19/06/2026 06:37 UTC
205.210.31.196 Sonde port 19/06/2026 06:36 UTC
205.210.31.172 Sonde port 19/06/2026 06:36 UTC
198.235.24.239 Sonde port 19/06/2026 06:35 UTC
162.216.150.105 Scanner web 19/06/2026 06:35 UTC
205.210.31.138 Scanner web 19/06/2026 06:32 UTC

Événements (filtres)

854

Première observation

15/06/2026 12:37 UTC

Dernière observation

15/06/2026 12:37 UTC

Dernière activité (filtres)

15/06/2026 12:37 UTC

Événements 7j

854

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 427 TLS TCP 427

HTTP

427

TLS

427

Géolocalisation

Origine réseau déclarée

Indonésie unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Google LLC 0 Port 8150 postgres_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Tentative d'exploit

Chaîne d'attaque

Exploitation

Vecteur d'attaque

http flood · via HTTP:8150 · (tentative d'exploit) · → /sendgrid.config.json

Détails protocole

Méthode: GET
Chemin: /sendgrid.config.json
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) M…

Aperçu payload

GET /sendgrid.config.json HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X)

Port / service

8150 · HTTP

Service émulé

HTTP

Raison confiance

Confiance 100 % — 3 tag(s) WAF

Technique MITRE

T1499

Persona capteur

mail.sensor-1.internal

Corrélations comportementales

Multi-protocole corrélé (5 min)

Recommandation

Investiguer

Rôle capteur

Renseignement menaces

Signaux de précision

MITRE-T1499 Upstream Waf Score

Confiance

100% Corrélation +8

Famille de menace

ddos

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

854 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

854 événement(s) — page 2/18

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
15/06/2026 12:37:55 UTC	TCP	8150 · HTTP	http	Flood / DDoS http flood · via HTTP:8150 · (tentative d'exploit) · → /mailer/sendgrid.js	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /mailer/sendgrid.js UA Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /mailer/sendgrid.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /mailer/sendgrid.js Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /mailer/sendgrid.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /mailer/sendgrid.js HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 Requête brute (extrait) GET /mailer/sendgrid.js HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "js", "http_ua_hash": "e65381e09416f9f44e15da480f747a5f92effc5c", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "f0266273bf48ddd4776744bfb636ed48db1f9a0e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 252, "payload_entropy": 5.411356395933572, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 65, "tag_count": 4, "anomaly_count": 0, "campaign_key": "934cfa808198138f459be647ab1957f3c134b957", "event_fingerprint": "302d032375f50f3ae0fa3fbceb4910fd155f4c13", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 65, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c937486453a28bce9489cfffbedb5491", "payload_hash": "423f5f54e567b318164fe7dd92d7d292", "path_pattern_hash": "6ecfd778a602d8c5515ae4f71e84d137" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/mailer\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36", "method": "GET", "path": "\/mailer\/sendgrid.js", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/mailer\/sendgrid.js HTTP\/1.1", "request_sample": "GET \/mailer\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/mailer\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/mailer\/sendgrid.js", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/mailer\/sendgrid.js HTTP\/1.1", "request_sample": "GET \/mailer\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/mailer\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f2475c955a576108cbab10c092049c4872f08cef", "protocol_details": { "http_method": "GET", "http_path": "\/mailer\/sendgrid.js", "request_line": "GET \/mailer\/sendgrid.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/mailer\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36", "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mailer\/sendgrid.js", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 65, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/mailer\/sendgrid.js", "request_line": "GET \/mailer\/sendgrid.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mailer\/sendgrid.js", "evidence_snippet": "GET \/mailer\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:55 UTC	TCP	8150 · HTTP	http	Flood / DDoS http flood · via HTTP:8150 · (tentative d'exploit) · → /static/js/sendgrid.js	Élevée	Élevé · 71
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /static/js/sendgrid.js UA Mozilla/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWeb… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /static/js/sendgrid.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /static/js/sendgrid.js Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 71 Confiance : Confiance 100 % — 4 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /static/js/sendgrid.js HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) OPT/1.10.1 Mobile/15E148 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /static/js/sendgrid.js HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) A Requête brute (extrait) GET /static/js/sendgrid.js HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) OPT/1.10.1 Mobile/15E148 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clos Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "js", "http_ua_hash": "edf0e8a3e1d87e93d19336fd0c9974eb535b5188", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "ddd3a9b3f48c6bae364c57b22089cf14b8553bb8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 261, "payload_entropy": 5.343811427514689, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.6, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 71, "tag_count": 6, "anomaly_count": 0, "campaign_key": "d0d90cf80e7a93cfe9b7769330bd3d4904a6fb2f", "event_fingerprint": "e241eb4904a2c67ae16499a6855adbd43f1c02e4", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "4a8197cf6e075165c47cd3bb2a089bb0", "payload_hash": "d368a355433879f153b345c47ea67349", "path_pattern_hash": "93094bc722813d7455c7ed98cc68fdb3" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 71 }, "payload_preview": "GET \/static\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) A", "method": "GET", "path": "\/static\/js\/sendgrid.js", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) OPT\/1.10.1 Mobile\/15E148", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/static\/js\/sendgrid.js HTTP\/1.1", "request_sample": "GET \/static\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) OPT\/1.10.1 Mobile\/15E148\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/static\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) A", "evidence": { "method": "GET", "path": "\/static\/js\/sendgrid.js", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) OPT\/1.10.1 Mobile\/15E148", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/static\/js\/sendgrid.js HTTP\/1.1", "request_sample": "GET \/static\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) OPT\/1.10.1 Mobile\/15E148\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/static\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) A", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2a9c330597009548ab2405d0dc2e97ee2073d2ef", "protocol_details": { "http_method": "GET", "http_path": "\/static\/js\/sendgrid.js", "request_line": "GET \/static\/js\/sendgrid.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) OPT\/1.10.1 Mobile\/15E148", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/static\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) A", "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/static\/js\/sendgrid.js", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 71, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/static\/js\/sendgrid.js", "request_line": "GET \/static\/js\/sendgrid.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) OPT\/1.10.1 Mobile\/15E148", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/static\/js\/sendgrid.js", "evidence_snippet": "GET \/static\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) A", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_static", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:55 UTC	TCP	8150 · HTTP	http	Flood / DDoS http flood · via HTTP:8150 · (tentative d'exploit) · → /sendgrid.py	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid.py UA Mozilla/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit/537.36… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /sendgrid.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid.py HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid.py HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit/537.36 (K Requête brute (extrait) GET /sendgrid.py HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "py", "http_ua_hash": "9c9d1ddf64da3acd32b851a86025e730c231be41", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "0e3f38ff7e509e55407449d72c93d40ab0729e93", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 256, "payload_entropy": 5.395996883394779, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.5, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "faec9de111549281d11225263d87c6cdbccacb7a", "event_fingerprint": "6e9085b2433290da8b3251834a2461965bf27133", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e85ce18c5fc96ebdf7a59c1dff7d8ff7", "payload_hash": "41c4ac4e3afa3cc61e8329d8f4348755", "path_pattern_hash": "5599d311df7384f76edaf185f5d025e3" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit\/537.36 (K", "method": "GET", "path": "\/sendgrid.py", "user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.py HTTP\/1.1", "request_sample": "GET \/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit\/537.36 (K", "evidence": { "method": "GET", "path": "\/sendgrid.py", "user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.py HTTP\/1.1", "request_sample": "GET \/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit\/537.36 (K", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "dba3d035ff565a13e9b7f85ee6900c7860bcd482", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.py", "request_line": "GET \/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/\u2026", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit\/537.36 (K", "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.py", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.py", "request_line": "GET \/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/\u2026", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.py", "evidence_snippet": "GET \/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit\/537.36 (K", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:55 UTC	TCP	8150 · HTTP	http	Flood / DDoS http flood · via HTTP:8150 · (tentative d'exploit) · → /public/js/sendgrid.js	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /public/js/sendgrid.js UA Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /public/js/sendgrid.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /public/js/sendgrid.js Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — 4 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /public/js/sendgrid.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /public/js/sendgrid.js HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537 Requête brute (extrait) GET /public/js/sendgrid.js HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "js", "http_ua_hash": "2be45be822a0113cf3e9179d7148a66947b7d527", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "3d8d45d4780341cf69b3566ae14a0edf2136ab23", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 255, "payload_entropy": 5.440894387942805, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 70, "tag_count": 5, "anomaly_count": 0, "campaign_key": "c5ee4077a4c9c13d49fbceb341187e1b98645e77", "event_fingerprint": "ef7c9959975ed03bfe0cffc2668600242746815e", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "8a11a34e9c12e87c61c23a0d679ff58e", "payload_hash": "6dee3f42652cb6a4bed1396a53eed5c2", "path_pattern_hash": "f58945cff6efd1a814c6e2366d5811fb" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/public\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537", "method": "GET", "path": "\/public\/js\/sendgrid.js", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.140 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/public\/js\/sendgrid.js HTTP\/1.1", "request_sample": "GET \/public\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.140 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/public\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537", "evidence": { "method": "GET", "path": "\/public\/js\/sendgrid.js", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.140 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/public\/js\/sendgrid.js HTTP\/1.1", "request_sample": "GET \/public\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.140 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/public\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "74a7f5d7b85305e6457b232bf61f74eea9c72b91", "protocol_details": { "http_method": "GET", "http_path": "\/public\/js\/sendgrid.js", "request_line": "GET \/public\/js\/sendgrid.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.140 Safari\/537.36", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/public\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537", "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/public\/js\/sendgrid.js", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/public\/js\/sendgrid.js", "request_line": "GET \/public\/js\/sendgrid.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.140 Safari\/537.36", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/public\/js\/sendgrid.js", "evidence_snippet": "GET \/public\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:55 UTC	TCP	8150 · HTTP	http	Flood / DDoS http flood · via HTTP:8150 · (tentative d'exploit) · → /sendgrid.js	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid.js UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /sendgrid.js Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid.js HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid.js HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 Requête brute (extrait) GET /sendgrid.js HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "js", "http_ua_hash": "e14b345515e4a0ecac6af1218d121f55c8bede84", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "af3d72bf73a37ea591ef956266b665cf12d6558b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 252, "payload_entropy": 5.414360932400868, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.5, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "faec9de111549281d11225263d87c6cdbccacb7a", "event_fingerprint": "efd9a67a82517f20e593328a72c560bafeea1a9b", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f9550e9b713392ad4e1dfff8185c6c0b", "payload_hash": "3cddca4e304561cc51d15a5304182dbb", "path_pattern_hash": "f692cb581dcfe0e04c53a5afcbe187bf" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit\/537.36", "method": "GET", "path": "\/sendgrid.js", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.js HTTP\/1.1", "request_sample": "GET \/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/sendgrid.js", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.js HTTP\/1.1", "request_sample": "GET \/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit\/537.36", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5792fc69ac6f0d672fe1f7c2e7a1b5bc6d02facb", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.js", "request_line": "GET \/sendgrid.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.\u2026", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit\/537.36", "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.js", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.js", "request_line": "GET \/sendgrid.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.\u2026", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.js", "evidence_snippet": "GET \/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit\/537.36", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:55 UTC	TCP	8150 · HTTP	http	Flood / DDoS http flood · via HTTP:8150 · (tentative d'exploit) · → /backend/sendgrid.py	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /backend/sendgrid.py UA Bloglines/3.1 (http://www.bloglines.com) Émulateur HTTP WAF 18 Recommandation Investiguer Tags 950406:ssrf-3 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /backend/sendgrid.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /backend/sendgrid.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /backend/sendgrid.py HTTP/1.1` User-Agent Bloglines/3.1 (http://www.bloglines.com) Règles WAF ssrf-3 nosqli-3 Payload (extrait) GET /backend/sendgrid.py HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Bloglines/3.1 (http://www.bloglines.com) Accept-Charset: Requête brute (extrait) GET /backend/sendgrid.py HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Bloglines/3.1 (http://www.bloglines.com) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "py", "http_ua_hash": "975326d5732e2772ce9acb34b1ae6ebe02f75034", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "9b3b3fd51ae018208ce4d96cbad2187f4475e746", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 179, "payload_entropy": 5.150263975208574, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 80, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 80, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "d01bc75727ccafaf830fc3e0c8eaa282a64827dd", "event_fingerprint": "adac49e9fc602c413658960d7e618a34884c0aba", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 80, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "037a45c4fdf48b4096c5d4f65bba5976", "payload_hash": "2bd0b3edd93b9c995bbf3c29e28cd20f", "path_pattern_hash": "ecf29d1ed95b1fd215637cce0a9e7303" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/backend\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Bloglines\/3.1 (http:\/\/www.bloglines.com)\r\nAccept-Charset: ", "method": "GET", "path": "\/backend\/sendgrid.py", "user_agent": "Bloglines\/3.1 (http:\/\/www.bloglines.com)", "waf_tags": [ "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "ssrf-3", "nosqli-3" ], "request_line": "GET \/backend\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/backend\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Bloglines\/3.1 (http:\/\/www.bloglines.com)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Bloglines\/3.1 (http:\/\/www.bloglines.com)\r\nAccept-Charset:", "evidence": { "method": "GET", "path": "\/backend\/sendgrid.py", "user_agent": "Bloglines\/3.1 (http:\/\/www.bloglines.com)", "waf_tags": [ "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "ssrf-3", "nosqli-3" ], "request_line": "GET \/backend\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/backend\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Bloglines\/3.1 (http:\/\/www.bloglines.com)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Bloglines\/3.1 (http:\/\/www.bloglines.com)\r\nAccept-Charset:", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b6b720dc402fb678a4c949b90c0587b5805b4fdd", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/sendgrid.py", "request_line": "GET \/backend\/sendgrid.py HTTP\/1.1", "http_user_agent": "Bloglines\/3.1 (http:\/\/www.bloglines.com)", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/backend\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Bloglines\/3.1 (http:\/\/www.bloglines.com)\r\nAccept-Charset:", "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/sendgrid.py", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 80, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/sendgrid.py", "request_line": "GET \/backend\/sendgrid.py HTTP\/1.1", "http_user_agent": "Bloglines\/3.1 (http:\/\/www.bloglines.com)", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/sendgrid.py", "evidence_snippet": "GET \/backend\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Bloglines\/3.1 (http:\/\/www.bloglines.com)\r\nAccept-Charset:", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 80 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:55 UTC	TCP	8150 · HTTP	http	Flood / DDoS http flood · via HTTP:8150 · (tentative d'exploit) · → /sendgrid.min.js	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid.min.js UA Mozilla/5.0 (compatible; Yahoo! Slurp China; http://misc.yahoo.… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET /sendgrid.min.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /sendgrid.min.js Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — 4 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /sendgrid.min.js HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Yahoo! Slurp China; http://misc.yahoo.com.cn/help.html) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /sendgrid.min.js HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp China; http://misc.yahoo Requête brute (extrait) GET /sendgrid.min.js HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp China; http://misc.yahoo.com.cn/help.html) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "js", "http_ua_hash": "2c593fe199eecb4c868eab750ee5858e8cf2e9ce", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "c3c746112c0f0239b9db723ddc097884068a0409", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 215, "payload_entropy": 5.192858375057888, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 70, "tag_count": 5, "anomaly_count": 0, "campaign_key": "87efa92a994cc7ac9620b61722e44d137229a56e", "event_fingerprint": "900be0320275a4d2b6b3b1e3f8c18291b608f4e7", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e0769509f771e005fcee7274b57952ca", "payload_hash": "7c32a9e18c6ba664700e0649a6aa02bd", "path_pattern_hash": "eedccc9bc850fd543465f59f02102b9c" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/sendgrid.min.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (compatible; Yahoo! Slurp China; http:\/\/misc.yahoo", "method": "GET", "path": "\/sendgrid.min.js", "user_agent": "Mozilla\/5.0 (compatible; Yahoo! Slurp China; http:\/\/misc.yahoo.com.cn\/help.html)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/sendgrid.min.js HTTP\/1.1", "request_sample": "GET \/sendgrid.min.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (compatible; Yahoo! Slurp China; http:\/\/misc.yahoo.com.cn\/help.html)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.min.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (compatible; Yahoo! Slurp China; http:\/\/misc.yahoo", "evidence": { "method": "GET", "path": "\/sendgrid.min.js", "user_agent": "Mozilla\/5.0 (compatible; Yahoo! Slurp China; http:\/\/misc.yahoo.com.cn\/help.html)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/sendgrid.min.js HTTP\/1.1", "request_sample": "GET \/sendgrid.min.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (compatible; Yahoo! Slurp China; http:\/\/misc.yahoo.com.cn\/help.html)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.min.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (compatible; Yahoo! Slurp China; http:\/\/misc.yahoo", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d292c0136068a44eac8271980bb87fab47a03aad", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.min.js", "request_line": "GET \/sendgrid.min.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Yahoo! Slurp China; http:\/\/misc.yahoo.com.cn\/help.html)", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid.min.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (compatible; Yahoo! Slurp China; http:\/\/misc.yahoo", "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.min.js", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.min.js", "request_line": "GET \/sendgrid.min.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Yahoo! Slurp China; http:\/\/misc.yahoo.com.cn\/help.html)", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.min.js", "evidence_snippet": "GET \/sendgrid.min.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (compatible; Yahoo! Slurp China; http:\/\/misc.yahoo", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:55 UTC	TCP	8150 · HTTP	http	Flood / DDoS http flood · via HTTP:8150 · (tentative d'exploit) · → /js/sendgrid.js	Élevée	Élevé · 67
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /js/sendgrid.js UA iTunes/9.0.2 (Windows; N) Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 net_flood Cible HTTP GET /js/sendgrid.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /js/sendgrid.js Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 67 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /js/sendgrid.js HTTP/1.1` User-Agent iTunes/9.0.2 (Windows; N) Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /js/sendgrid.js HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: iTunes/9.0.2 (Windows; N) Accept-Charset: utf-8 Accept-Encodi Requête brute (extrait) GET /js/sendgrid.js HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: iTunes/9.0.2 (Windows; N) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "js", "http_ua_hash": "62c7a4f561331db55e9d732ac42a3e6a3b0a6719", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "7114249614c60cac92b11c965ba88c076eabbbd2", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 159, "payload_entropy": 5.1529246386183045, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 92, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 92, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 67, "tag_count": 4, "anomaly_count": 0, "campaign_key": "813fc463158ed958f071183c6e7f85c8e2faf645", "event_fingerprint": "ba98452ae32e3edaf156c0ae6ae537af242a4900", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 92, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 67, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "80c7a2ec952a92279503d16dd31aeb9d", "payload_hash": "d337e9c688cfe1112226ff99f16f8cf2", "path_pattern_hash": "e872e36d7b0986feefb905fe01ffcd7c" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 67 }, "payload_preview": "GET \/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: iTunes\/9.0.2 (Windows; N)\r\nAccept-Charset: utf-8\r\nAccept-Encodi", "method": "GET", "path": "\/js\/sendgrid.js", "user_agent": "iTunes\/9.0.2 (Windows; N)", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/js\/sendgrid.js HTTP\/1.1", "request_sample": "GET \/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: iTunes\/9.0.2 (Windows; N)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: iTunes\/9.0.2 (Windows; N)\r\nAccept-Charset: utf-8\r\nAccept-Encodi", "evidence": { "method": "GET", "path": "\/js\/sendgrid.js", "user_agent": "iTunes\/9.0.2 (Windows; N)", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/js\/sendgrid.js HTTP\/1.1", "request_sample": "GET \/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: iTunes\/9.0.2 (Windows; N)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: iTunes\/9.0.2 (Windows; N)\r\nAccept-Charset: utf-8\r\nAccept-Encodi", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6ac51fdea3398938ee0947de0f69f4095f86c682", "protocol_details": { "http_method": "GET", "http_path": "\/js\/sendgrid.js", "request_line": "GET \/js\/sendgrid.js HTTP\/1.1", "http_user_agent": "iTunes\/9.0.2 (Windows; N)", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: iTunes\/9.0.2 (Windows; N)\r\nAccept-Charset: utf-8\r\nAccept-Encodi", "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/js\/sendgrid.js", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 67, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 67, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/js\/sendgrid.js", "request_line": "GET \/js\/sendgrid.js HTTP\/1.1", "http_user_agent": "iTunes\/9.0.2 (Windows; N)", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/js\/sendgrid.js", "evidence_snippet": "GET \/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: iTunes\/9.0.2 (Windows; N)\r\nAccept-Charset: utf-8\r\nAccept-Encodi", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:55 UTC	TCP	8150 · HTTP	http	Flood / DDoS http flood · via HTTP:8150 · (tentative d'exploit) · → /email/sendgrid.py	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /email/sendgrid.py UA Mozilla/5.0 (Linux; U; Android 3.0.1; en-us; GT-P7100 Build/HRI… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /email/sendgrid.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /email/sendgrid.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /email/sendgrid.py HTTP/1.1` User-Agent Mozilla/5.0 (Linux; U; Android 3.0.1; en-us; GT-P7100 Build/HRI83) AppleWebkit/534.13 (KHTML, like Gecko) Version/4.0 Safari/534.13 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /email/sendgrid.py HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Linux; U; Android 3.0.1; en-us; GT-P7100 Build/ Requête brute (extrait) GET /email/sendgrid.py HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Linux; U; Android 3.0.1; en-us; GT-P7100 Build/HRI83) AppleWebkit/534.13 (KHTML, like Gecko) Version/4.0 Safari/534.13 Accept-Charset: utf-8 Accept-Encoding: gzip Connectio Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "py", "http_ua_hash": "5c96917f2e7233b20b0cc9e93369805d64c81459", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "190af723c99988769325445339d91d711879f378", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 268, "payload_entropy": 5.412247114121402, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 65, "tag_count": 4, "anomaly_count": 0, "campaign_key": "934cfa808198138f459be647ab1957f3c134b957", "event_fingerprint": "211f2e7d8d29060fb04944cd504b1b98027f3d16", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 65, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ab981d7fe999a1ab3024925533449903", "payload_hash": "d3cd5719ddee5589a69db84e76d489fb", "path_pattern_hash": "aa093fa1b6f985e5ed81b711d71d6186" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/email\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 3.0.1; en-us; GT-P7100 Build\/", "method": "GET", "path": "\/email\/sendgrid.py", "user_agent": "Mozilla\/5.0 (Linux; U; Android 3.0.1; en-us; GT-P7100 Build\/HRI83) AppleWebkit\/534.13 (KHTML, like Gecko) Version\/4.0 Safari\/534.13", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/email\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/email\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 3.0.1; en-us; GT-P7100 Build\/HRI83) AppleWebkit\/534.13 (KHTML, like Gecko) Version\/4.0 Safari\/534.13\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnectio", "payload_snippet": "GET \/email\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 3.0.1; en-us; GT-P7100 Build\/", "evidence": { "method": "GET", "path": "\/email\/sendgrid.py", "user_agent": "Mozilla\/5.0 (Linux; U; Android 3.0.1; en-us; GT-P7100 Build\/HRI83) AppleWebkit\/534.13 (KHTML, like Gecko) Version\/4.0 Safari\/534.13", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/email\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/email\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 3.0.1; en-us; GT-P7100 Build\/HRI83) AppleWebkit\/534.13 (KHTML, like Gecko) Version\/4.0 Safari\/534.13\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnectio", "payload_snippet": "GET \/email\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 3.0.1; en-us; GT-P7100 Build\/", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0d4ddda4aa2582f47175039ec3adfd5cb5c02fc0", "protocol_details": { "http_method": "GET", "http_path": "\/email\/sendgrid.py", "request_line": "GET \/email\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 3.0.1; en-us; GT-P7100 Build\/HRI83) AppleWebkit\/534.13 (KHTML, like Gecko) Version\/4.0 S\u2026", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/email\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 3.0.1; en-us; GT-P7100 Build\/", "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/email\/sendgrid.py", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 65, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/email\/sendgrid.py", "request_line": "GET \/email\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 3.0.1; en-us; GT-P7100 Build\/HRI83) AppleWebkit\/534.13 (KHTML, like Gecko) Version\/4.0 S\u2026", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/email\/sendgrid.py", "evidence_snippet": "GET \/email\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 3.0.1; en-us; GT-P7100 Build\/", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:55 UTC	TCP	8150 · HTTP	http	Flood / DDoS http flood · via HTTP:8150 · (tentative d'exploit) · → /sendgrid-config.js	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid-config.js UA Mozilla/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleW… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid-config.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /sendgrid-config.js Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid-config.js HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Mobile/15E148 Safari/604.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid-config.js HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) Ap Requête brute (extrait) GET /sendgrid-config.js HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Mobile/15E148 Safari/604.1 Accept-Charset: utf-8 Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "js", "http_ua_hash": "4a089f08acea2fc398890e2ab42604a92a54d7ee", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "c8b4913a314d5374735dff4b95e1cff311f5c4dc", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 277, "payload_entropy": 5.360953780656245, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.5, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "faec9de111549281d11225263d87c6cdbccacb7a", "event_fingerprint": "a44c10634a8e10f04a449c2269c4190f204aebd1", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c4d723f771cce494730079f642dbfbc2", "payload_hash": "5013627cef4cc99beb086682c7bd88d2", "path_pattern_hash": "2b99e2b2f22e64aa3052d2699e1fc307" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/sendgrid-config.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) Ap", "method": "GET", "path": "\/sendgrid-config.js", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.1 Mobile\/15E148 Safari\/604.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid-config.js HTTP\/1.1", "request_sample": "GET \/sendgrid-config.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.1 Mobile\/15E148 Safari\/604.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\n", "payload_snippet": "GET \/sendgrid-config.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) Ap", "evidence": { "method": "GET", "path": "\/sendgrid-config.js", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.1 Mobile\/15E148 Safari\/604.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid-config.js HTTP\/1.1", "request_sample": "GET \/sendgrid-config.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.1 Mobile\/15E148 Safari\/604.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\n", "payload_snippet": "GET \/sendgrid-config.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) Ap", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5212f9fcb85fa341be82750f43fcc8eb7fb6ce4e", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid-config.js", "request_line": "GET \/sendgrid-config.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.1 Mobile\u2026", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid-config.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) Ap", "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid-config.js", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid-config.js", "request_line": "GET \/sendgrid-config.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.1 Mobile\u2026", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid-config.js", "evidence_snippet": "GET \/sendgrid-config.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) Ap", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:55 UTC	TCP	8150 · HTTP	http	Flood / DDoS http flood · via HTTP:8150 · (tentative d'exploit) · → /sendgrid.json	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid.json UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/607… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /sendgrid.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid.json HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/607.2.6 (KHTML, like Gecko) Version/12.1.1 Safari/607.2.6 Maxthon/5.1.132 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid.json HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/607. Requête brute (extrait) GET /sendgrid.json HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/607.2.6 (KHTML, like Gecko) Version/12.1.1 Safari/607.2.6 Maxthon/5.1.132 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "bd24e915f688b8d66845c302b04a91f5d491f0a5", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "334746630c59d3caca795d70405b3b173f74a90b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 266, "payload_entropy": 5.382774328868263, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.5, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "faec9de111549281d11225263d87c6cdbccacb7a", "event_fingerprint": "6947cff3f0fdced91fafc17545e3a26323073425", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ca71f6b0fbd36aea76c5a73408e425b7", "payload_hash": "2c4e64b30b8f1b9a1c10d185e261c27d", "path_pattern_hash": "e6f5fbc298134f1524aeaece47705fce" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/607.", "method": "GET", "path": "\/sendgrid.json", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/607.2.6 (KHTML, like Gecko) Version\/12.1.1 Safari\/607.2.6 Maxthon\/5.1.132", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.json HTTP\/1.1", "request_sample": "GET \/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/607.2.6 (KHTML, like Gecko) Version\/12.1.1 Safari\/607.2.6 Maxthon\/5.1.132\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection:", "payload_snippet": "GET \/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/607.", "evidence": { "method": "GET", "path": "\/sendgrid.json", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/607.2.6 (KHTML, like Gecko) Version\/12.1.1 Safari\/607.2.6 Maxthon\/5.1.132", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.json HTTP\/1.1", "request_sample": "GET \/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/607.2.6 (KHTML, like Gecko) Version\/12.1.1 Safari\/607.2.6 Maxthon\/5.1.132\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection:", "payload_snippet": "GET \/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/607.", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4694d3cc8c0fe595eb0481a56faf5bb8c5f0dea3", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.json", "request_line": "GET \/sendgrid.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/607.2.6 (KHTML, like Gecko) Version\/12.1.1 Safari\/607.2.6 M\u2026", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/607.", "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.json", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.json", "request_line": "GET \/sendgrid.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/607.2.6 (KHTML, like Gecko) Version\/12.1.1 Safari\/607.2.6 M\u2026", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.json", "evidence_snippet": "GET \/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/607.", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:55 UTC	TCP	8150 · HTTP	http	Flood / DDoS http flood · via HTTP:8150 · (tentative d'exploit) · → /mail/sendgrid.py	Élevée	Élevé · 66
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /mail/sendgrid.py UA Mozilla/5.0 (X11; Linux i686; rv:5.0) Gecko/20100101 Firefox/5.0 Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_mail Cible HTTP GET /mail/sendgrid.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /mail/sendgrid.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 66 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /mail/sendgrid.py HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux i686; rv:5.0) Gecko/20100101 Firefox/5.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /mail/sendgrid.py HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:5.0) Gecko/20100101 Firefox/ Requête brute (extrait) GET /mail/sendgrid.py HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:5.0) Gecko/20100101 Firefox/5.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "py", "http_ua_hash": "176d55df1b422582e60165c30d18266635f7e796", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "4e4e30676a1660aa4bddd155759e5f2063e42ebb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 200, "payload_entropy": 5.280793719419409, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 66, "tag_count": 5, "anomaly_count": 0, "campaign_key": "7b70d92b69ab3762f5354a476af17b715b5ffc7a", "event_fingerprint": "b786fd5a4cd76921f7a06ce96feb2aa3262029d2", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "3fe7d61f493e507df8d8cda3a88717c8", "payload_hash": "b3409fe1338c95d5d59b259fc928329a", "path_pattern_hash": "b5e77b51819ded84d893a1ced6a06cf4" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 66 }, "payload_preview": "GET \/mail\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:5.0) Gecko\/20100101 Firefox\/", "method": "GET", "path": "\/mail\/sendgrid.py", "user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:5.0) Gecko\/20100101 Firefox\/5.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/mail\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/mail\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:5.0) Gecko\/20100101 Firefox\/5.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/mail\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:5.0) Gecko\/20100101 Firefox\/", "evidence": { "method": "GET", "path": "\/mail\/sendgrid.py", "user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:5.0) Gecko\/20100101 Firefox\/5.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/mail\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/mail\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:5.0) Gecko\/20100101 Firefox\/5.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/mail\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:5.0) Gecko\/20100101 Firefox\/", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "037a9c0d5a35eda5aa4361d568d3541c5d3a0a58", "protocol_details": { "http_method": "GET", "http_path": "\/mail\/sendgrid.py", "request_line": "GET \/mail\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:5.0) Gecko\/20100101 Firefox\/5.0", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/mail\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:5.0) Gecko\/20100101 Firefox\/", "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mail\/sendgrid.py", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 66, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/mail\/sendgrid.py", "request_line": "GET \/mail\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:5.0) Gecko\/20100101 Firefox\/5.0", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mail\/sendgrid.py", "evidence_snippet": "GET \/mail\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:5.0) Gecko\/20100101 Firefox\/", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_mail", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:55 UTC	TCP	8150 · HTTP	http	Flood / DDoS http flood · via HTTP:8150 · (tentative d'exploit) · → /sendgrid_config.py	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid_config.py UA Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Ge… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid_config.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /sendgrid_config.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid_config.py HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Gecko) Ubuntu/11.10 Chromium/15.0.874.120 Chrome/15.0.874.120 Safari/535.2 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid_config.py HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, lik Requête brute (extrait) GET /sendgrid_config.py HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Gecko) Ubuntu/11.10 Chromium/15.0.874.120 Chrome/15.0.874.120 Safari/535.2 Accept-Charset: utf-8 Accept-Encoding: gzip Conn Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "py", "http_ua_hash": "10b0d842caaedd8324f537849b7a09eb1a2c0a1e", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "a8a91d2a8a844789d248ad7ec78ac7f9ab48d8a3", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 273, "payload_entropy": 5.420733461411622, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.5, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "faec9de111549281d11225263d87c6cdbccacb7a", "event_fingerprint": "2c3541c533f676ab14a2aec663f8e1dd48a5c295", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "04b187a7437a9377bf5abbeaf7da2d2e", "payload_hash": "985b113095f738111ad1faac8c1bd5cb", "path_pattern_hash": "5188a9e48f153fb145fe03b080df78ed" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/sendgrid_config.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/535.2 (KHTML, lik", "method": "GET", "path": "\/sendgrid_config.py", "user_agent": "Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/535.2 (KHTML, like Gecko) Ubuntu\/11.10 Chromium\/15.0.874.120 Chrome\/15.0.874.120 Safari\/535.2", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid_config.py HTTP\/1.1", "request_sample": "GET \/sendgrid_config.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/535.2 (KHTML, like Gecko) Ubuntu\/11.10 Chromium\/15.0.874.120 Chrome\/15.0.874.120 Safari\/535.2\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConn", "payload_snippet": "GET \/sendgrid_config.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/535.2 (KHTML, lik", "evidence": { "method": "GET", "path": "\/sendgrid_config.py", "user_agent": "Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/535.2 (KHTML, like Gecko) Ubuntu\/11.10 Chromium\/15.0.874.120 Chrome\/15.0.874.120 Safari\/535.2", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid_config.py HTTP\/1.1", "request_sample": "GET \/sendgrid_config.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/535.2 (KHTML, like Gecko) Ubuntu\/11.10 Chromium\/15.0.874.120 Chrome\/15.0.874.120 Safari\/535.2\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConn", "payload_snippet": "GET \/sendgrid_config.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/535.2 (KHTML, lik", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e5d2a8c6ec73f439a42dd4759fb2463823d64476", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid_config.py", "request_line": "GET \/sendgrid_config.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/535.2 (KHTML, like Gecko) Ubuntu\/11.10 Chromium\/15.0.874.120 Chrome\/15.0.874.\u2026", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid_config.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/535.2 (KHTML, lik", "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid_config.py", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid_config.py", "request_line": "GET \/sendgrid_config.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/535.2 (KHTML, like Gecko) Ubuntu\/11.10 Chromium\/15.0.874.120 Chrome\/15.0.874.\u2026", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid_config.py", "evidence_snippet": "GET \/sendgrid_config.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/535.2 (KHTML, lik", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:55 UTC	TCP	8150 · HTTP	http	Flood / DDoS http flood · via HTTP:8150 · (tentative d'exploit) · → /sendgrid.php	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid.php UA BlackBerry8330/4.3.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 Ve… Émulateur HTTP WAF 6 Recommandation Investiguer Tags 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /sendgrid.php Service HTTP Pourquoi cette classification : Tags WAF: nosqli-3 · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 51 Confiance : Confiance 100 % — 1 tag(s) WAF Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid.php HTTP/1.1` User-Agent BlackBerry8330/4.3.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/105 Règles WAF nosqli-3 Payload (extrait) GET /sendgrid.php HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: BlackBerry8330/4.3.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 Vend Requête brute (extrait) GET /sendgrid.php HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: BlackBerry8330/4.3.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/105 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "php", "http_ua_hash": "b12d9239d57e112849e3a30be9daa4719dbceae4", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "aeebeac9e1ed0166b8b2a8b12207a52ac16be70d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 205, "payload_entropy": 5.256081989578084, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 32, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 51, "tag_count": 2, "anomaly_count": 0, "campaign_key": "e64e24f48c4ba1824fb545b0fde27d3f0e9dbef7", "event_fingerprint": "f30df1d9341e382b368ba27f5e408174f9962256", "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "confidence_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "5a1c6ec7b928967f9d8d3e355e2c57d0", "payload_hash": "a8e3459d61988fbcbad2f5b666139216", "path_pattern_hash": "1c628b1c6b42ab40202a01c40f9a976e" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 51 }, "payload_preview": "GET \/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: BlackBerry8330\/4.3.0 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 Vend", "method": "GET", "path": "\/sendgrid.php", "user_agent": "BlackBerry8330\/4.3.0 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 VendorID\/105", "waf_tags": [ "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/sendgrid.php HTTP\/1.1", "request_sample": "GET \/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: BlackBerry8330\/4.3.0 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 VendorID\/105\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: BlackBerry8330\/4.3.0 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 Vend", "evidence": { "method": "GET", "path": "\/sendgrid.php", "user_agent": "BlackBerry8330\/4.3.0 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 VendorID\/105", "waf_tags": [ "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/sendgrid.php HTTP\/1.1", "request_sample": "GET \/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: BlackBerry8330\/4.3.0 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 VendorID\/105\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: BlackBerry8330\/4.3.0 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 Vend", "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5bc3d2aac530f0d3dbff98dc02583bb6f7ffd6f2", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.php", "request_line": "GET \/sendgrid.php HTTP\/1.1", "http_user_agent": "BlackBerry8330\/4.3.0 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 VendorID\/105", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: BlackBerry8330\/4.3.0 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 Vend", "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.php", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 100%", "classification_reason_label_fr": "Tags WAF: nosqli-3 \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.php", "request_line": "GET \/sendgrid.php HTTP\/1.1", "http_user_agent": "BlackBerry8330\/4.3.0 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 VendorID\/105", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.php", "evidence_snippet": "GET \/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: BlackBerry8330\/4.3.0 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 Vend", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 1 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:55 UTC	TCP	8150 · HTTP	http	Flood / DDoS http flood · via HTTP:8150 · (tentative d'exploit) · → /sendgrid_helper.py	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid_helper.py UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid_helper.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /sendgrid_helper.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid_helper.py HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.108 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid_helper.py HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.3 Requête brute (extrait) GET /sendgrid_helper.py HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.108 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "py", "http_ua_hash": "43e4b0179faf26f5e73f9a782deef3b6a3d8046e", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "772198c723c64c6ab2c19442e512e9b63957a609", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 253, "payload_entropy": 5.435773346749031, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.5, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "faec9de111549281d11225263d87c6cdbccacb7a", "event_fingerprint": "44686cca8f1a2e38bc6b52ac86798470c593e60d", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "70bf21fb1ce09d0c48dddb280b358e18", "payload_hash": "ad08174001bb0aa7a0a22fc75a1ee4a7", "path_pattern_hash": "f0a726c4ecbb7f24a7410bc2568f13fc" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/sendgrid_helper.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "method": "GET", "path": "\/sendgrid_helper.py", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/63.0.3239.108 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid_helper.py HTTP\/1.1", "request_sample": "GET \/sendgrid_helper.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/63.0.3239.108 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid_helper.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "evidence": { "method": "GET", "path": "\/sendgrid_helper.py", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/63.0.3239.108 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid_helper.py HTTP\/1.1", "request_sample": "GET \/sendgrid_helper.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/63.0.3239.108 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid_helper.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "eeab58ba09bd8e27e2b90274b174136530fc1bd6", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid_helper.py", "request_line": "GET \/sendgrid_helper.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/63.0.3239.108 Safari\/537.36", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid_helper.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid_helper.py", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid_helper.py", "request_line": "GET \/sendgrid_helper.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/63.0.3239.108 Safari\/537.36", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid_helper.py", "evidence_snippet": "GET \/sendgrid_helper.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:55 UTC	TCP	8150 · HTTP	http	Flood / DDoS http flood · via HTTP:8150 · (tentative d'exploit) · → /backend/sendgrid.js	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /backend/sendgrid.js UA EmailWolf 1.00 Émulateur HTTP WAF 6 Recommandation Investiguer Tags 950468:nosqli-3 net_flood Cible HTTP GET /backend/sendgrid.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /backend/sendgrid.js Service HTTP Pourquoi cette classification : Tags WAF: nosqli-3 · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 51 Confiance : Confiance 100 % — 1 tag(s) WAF Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /backend/sendgrid.js HTTP/1.1` User-Agent EmailWolf 1.00 Règles WAF nosqli-3 Payload (extrait) GET /backend/sendgrid.js HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: EmailWolf 1.00 Accept-Charset: utf-8 Accept-Encoding: gz Requête brute (extrait) GET /backend/sendgrid.js HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: EmailWolf 1.00 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "js", "http_ua_hash": "dcfc498d4e1428fb9bd198420c4c2d710f4fc4ee", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "7780371ee1da1efa0a933ac9cc0a62e8162ae0b1", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 153, "payload_entropy": 5.127149238853393, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 32, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 51, "tag_count": 2, "anomaly_count": 0, "campaign_key": "f1100e9db2bf35af67c88a09dadad069fbd30d05", "event_fingerprint": "51bb08649b609a57734286696207149694799ffc", "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "confidence_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "61fd284487c1f3fbc759ccc3e3812d07", "payload_hash": "036fcb61bd3f0e6adb31550e938abb82", "path_pattern_hash": "6b7d9f0363df4f0d6ef22b0d50871ee8" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 51 }, "payload_preview": "GET \/backend\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: EmailWolf 1.00\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gz", "method": "GET", "path": "\/backend\/sendgrid.js", "user_agent": "EmailWolf 1.00", "waf_tags": [ "950468:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/backend\/sendgrid.js HTTP\/1.1", "request_sample": "GET \/backend\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: EmailWolf 1.00\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: EmailWolf 1.00\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gz", "evidence": { "method": "GET", "path": "\/backend\/sendgrid.js", "user_agent": "EmailWolf 1.00", "waf_tags": [ "950468:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/backend\/sendgrid.js HTTP\/1.1", "request_sample": "GET \/backend\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: EmailWolf 1.00\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: EmailWolf 1.00\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gz", "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c4b0a6d14e08655e0ca9e8c7e8b3f9ddce77851a", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/sendgrid.js", "request_line": "GET \/backend\/sendgrid.js HTTP\/1.1", "http_user_agent": "EmailWolf 1.00", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/backend\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: EmailWolf 1.00\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gz", "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/sendgrid.js", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 100%", "classification_reason_label_fr": "Tags WAF: nosqli-3 \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/sendgrid.js", "request_line": "GET \/backend\/sendgrid.js HTTP\/1.1", "http_user_agent": "EmailWolf 1.00", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/sendgrid.js", "evidence_snippet": "GET \/backend\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: EmailWolf 1.00\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gz", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 1 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950468:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:55 UTC	TCP	8150 · HTTP	http	Flood / DDoS http flood · via HTTP:8150 · (tentative d'exploit) · → /mailer/sendgrid.php	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /mailer/sendgrid.php UA Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /mailer/sendgrid.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /mailer/sendgrid.php Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /mailer/sendgrid.php HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.14) Gecko/20110218 AlexaToolbar/alxf-2.0 Firefox/3.6.14 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /mailer/sendgrid.php HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv: Requête brute (extrait) GET /mailer/sendgrid.php HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.14) Gecko/20110218 AlexaToolbar/alxf-2.0 Firefox/3.6.14 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "b95d712f35662713c68c82a4913564c7e14d7500", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "dae727d8f431c63a4890b644ed3bde6b8b286d4f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 258, "payload_entropy": 5.339514275314341, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 65, "tag_count": 4, "anomaly_count": 0, "campaign_key": "934cfa808198138f459be647ab1957f3c134b957", "event_fingerprint": "b398579d5f3ac9dc55e5cc64490c8f7e2cd5a93d", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 65, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58b0de13403b501cfdd4e32e88b926a3", "payload_hash": "703e665b05f9321887605d63b4c1877d", "path_pattern_hash": "efcedb7b18ae8ea8d96de301e7bc027e" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/mailer\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:", "method": "GET", "path": "\/mailer\/sendgrid.php", "user_agent": "Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.14) Gecko\/20110218 AlexaToolbar\/alxf-2.0 Firefox\/3.6.14", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/mailer\/sendgrid.php HTTP\/1.1", "request_sample": "GET \/mailer\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.14) Gecko\/20110218 AlexaToolbar\/alxf-2.0 Firefox\/3.6.14\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/mailer\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:", "evidence": { "method": "GET", "path": "\/mailer\/sendgrid.php", "user_agent": "Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.14) Gecko\/20110218 AlexaToolbar\/alxf-2.0 Firefox\/3.6.14", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/mailer\/sendgrid.php HTTP\/1.1", "request_sample": "GET \/mailer\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.14) Gecko\/20110218 AlexaToolbar\/alxf-2.0 Firefox\/3.6.14\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/mailer\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "510edee5d5e5da549b03917d3f5f006698c8e00e", "protocol_details": { "http_method": "GET", "http_path": "\/mailer\/sendgrid.php", "request_line": "GET \/mailer\/sendgrid.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.14) Gecko\/20110218 AlexaToolbar\/alxf-2.0 Firefox\/3.6.14", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/mailer\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:", "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mailer\/sendgrid.php", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 65, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/mailer\/sendgrid.php", "request_line": "GET \/mailer\/sendgrid.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.14) Gecko\/20110218 AlexaToolbar\/alxf-2.0 Firefox\/3.6.14", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mailer\/sendgrid.php", "evidence_snippet": "GET \/mailer\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:55 UTC	TCP	8150 · HTTP	http	Flood / DDoS http flood · via HTTP:8150 · (tentative d'exploit) · → /config/sendgrid.py	Élevée	Élevé · 66
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /config/sendgrid.py UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/sendgrid.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /config/sendgrid.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 66 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/sendgrid.py HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/sendgrid.py HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit Requête brute (extrait) GET /config/sendgrid.py HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "py", "http_ua_hash": "a462c8ab92e25e3b7d82632b0b39076a5905cb5c", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "c39a8449a6e4f2889aa8a56e74d7dff99a1b9759", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 259, "payload_entropy": 5.4386089097696955, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 66, "tag_count": 5, "anomaly_count": 0, "campaign_key": "9676e1a272e946b36a3b37a61109a899b616f427", "event_fingerprint": "83639e20e9d0d0bac2ca9f8135ff18e7cf4558ce", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "aa4bf7c6e91118abdcf9d37d0508a2b7", "payload_hash": "9b247fcd9bf6d83a0c3140f31603fd19", "path_pattern_hash": "9abcee9f2bf7633ad04f7c379dbcfd85" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 66 }, "payload_preview": "GET \/config\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit", "method": "GET", "path": "\/config\/sendgrid.py", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/config\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/config\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit", "evidence": { "method": "GET", "path": "\/config\/sendgrid.py", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/config\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/config\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0d195946d9f3fe53befed72bf9cb26315e19eb27", "protocol_details": { "http_method": "GET", "http_path": "\/config\/sendgrid.py", "request_line": "GET \/config\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.\u2026", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit", "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/sendgrid.py", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 66, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/sendgrid.py", "request_line": "GET \/config\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.\u2026", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/sendgrid.py", "evidence_snippet": "GET \/config\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:55 UTC	TCP	8150 · HTTP	http	Flood / DDoS http flood · via HTTP:8150 · (tentative d'exploit) · → /config/sendgrid.php	Élevée	Élevé · 66
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /config/sendgrid.php UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/sendgrid.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /config/sendgrid.php Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 66 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/sendgrid.php HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/sendgrid.php HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKi Requête brute (extrait) GET /config/sendgrid.php HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "363e1ebf472037cb84ba27232093f374e269420a", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "5a7c4db4e49228f435e7f3ef670fd7a77af86fbd", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 260, "payload_entropy": 5.385560426985185, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 66, "tag_count": 5, "anomaly_count": 0, "campaign_key": "9676e1a272e946b36a3b37a61109a899b616f427", "event_fingerprint": "260f7e53c234751bbed18e898959150a37f0d2d0", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "99cfea7588f08f054926334ea17308c1", "payload_hash": "028094d9266f01db2499c92b061cb8c8", "path_pattern_hash": "c0ea70e9176b91c1342a31c50481c975" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 66 }, "payload_preview": "GET \/config\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKi", "method": "GET", "path": "\/config\/sendgrid.php", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/sendgrid.php HTTP\/1.1", "request_sample": "GET \/config\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close", "payload_snippet": "GET \/config\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKi", "evidence": { "method": "GET", "path": "\/config\/sendgrid.php", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/sendgrid.php HTTP\/1.1", "request_sample": "GET \/config\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close", "payload_snippet": "GET \/config\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKi", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "df90c689306d17d358678299156230e2abdcaee8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/sendgrid.php", "request_line": "GET \/config\/sendgrid.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.\u2026", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKi", "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/sendgrid.php", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 66, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/sendgrid.php", "request_line": "GET \/config\/sendgrid.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.\u2026", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/sendgrid.php", "evidence_snippet": "GET \/config\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKi", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:55 UTC	TCP	8150 · HTTP	http	Flood / DDoS http flood · via HTTP:8150 · (tentative d'exploit) · → /src/sendgrid.py	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /src/sendgrid.py UA Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20100101 Firefox/6.0 Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /src/sendgrid.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /src/sendgrid.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /src/sendgrid.py HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20100101 Firefox/6.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /src/sendgrid.py HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20100101 Firefox/6 Requête brute (extrait) GET /src/sendgrid.py HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20100101 Firefox/6.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "py", "http_ua_hash": "30f64055157dc1523c27299ce23be3c06ab177dd", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "1199ec6af8250c9d336ec91a467a574f2ae011ba", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 199, "payload_entropy": 5.2526408862178, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 65, "tag_count": 4, "anomaly_count": 0, "campaign_key": "934cfa808198138f459be647ab1957f3c134b957", "event_fingerprint": "87ffc30ba785348ff6bc82c068f15d7c76758715", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 65, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1321ad0a029ffe243cfb2e0f8f41e310", "payload_hash": "5e7dcd84d24f9e2d4576225085debac4", "path_pattern_hash": "1599bd71dd6b66802ca7702f410c4986" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/src\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:6.0) Gecko\/20100101 Firefox\/6", "method": "GET", "path": "\/src\/sendgrid.py", "user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:6.0) Gecko\/20100101 Firefox\/6.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/src\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/src\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:6.0) Gecko\/20100101 Firefox\/6.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/src\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:6.0) Gecko\/20100101 Firefox\/6", "evidence": { "method": "GET", "path": "\/src\/sendgrid.py", "user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:6.0) Gecko\/20100101 Firefox\/6.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/src\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/src\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:6.0) Gecko\/20100101 Firefox\/6.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/src\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:6.0) Gecko\/20100101 Firefox\/6", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0ab55964d09874d539dd9a57d6c716ed86156553", "protocol_details": { "http_method": "GET", "http_path": "\/src\/sendgrid.py", "request_line": "GET \/src\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:6.0) Gecko\/20100101 Firefox\/6.0", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/src\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:6.0) Gecko\/20100101 Firefox\/6", "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/src\/sendgrid.py", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 65, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/src\/sendgrid.py", "request_line": "GET \/src\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:6.0) Gecko\/20100101 Firefox\/6.0", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/src\/sendgrid.py", "evidence_snippet": "GET \/src\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:6.0) Gecko\/20100101 Firefox\/6", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:55 UTC	TCP	8150 · HTTP	http	Flood / DDoS http flood · via HTTP:8150 · (tentative d'exploit) · → /config/sendgrid.yml	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /config/sendgrid.yml UA Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Ge… Émulateur HTTP WAF 12 Recommandation Investiguer Tags 950468:nosqli-3 950470:nosqli-3 http_probe_config net_flood Cible HTTP GET /config/sendgrid.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /config/sendgrid.yml Service HTTP Pourquoi cette classification : Tags WAF: nosqli-3 · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/sendgrid.yml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 YaBrowser/17.3.0.1785 Yowser/2.5 Safari/537.36 Règles WAF nosqli-3 Payload (extrait) GET /config/sendgrid.yml HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, li Requête brute (extrait) GET /config/sendgrid.yml HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 YaBrowser/17.3.0.1785 Yowser/2.5 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Conn Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "yml", "http_ua_hash": "22a358cccea2daf46b8f0e0a52733ee09291d8ab", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "0bd9f817e7997b41e7d0b8b8dd114ee25267d094", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 273, "payload_entropy": 5.416831035620943, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 56, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 56, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 56, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f014beecea64f0514e730365e7403b4e3ec3bfcb", "event_fingerprint": "f01bb9240e7a6ec260c1b62420447cc3375663e3", "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 56, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "5df81b5f983af6e14df6d7ffadcccd84", "payload_hash": "7e98533c6943ea77c0a32c33651f916c", "path_pattern_hash": "b33a5d11f328bd7713feb258f3d7e0c0" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/config\/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, li", "method": "GET", "path": "\/config\/sendgrid.yml", "user_agent": "Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/56.0.2924.87 YaBrowser\/17.3.0.1785 Yowser\/2.5 Safari\/537.36", "waf_tags": [ "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/config\/sendgrid.yml HTTP\/1.1", "request_sample": "GET \/config\/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/56.0.2924.87 YaBrowser\/17.3.0.1785 Yowser\/2.5 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConn", "payload_snippet": "GET \/config\/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, li", "evidence": { "method": "GET", "path": "\/config\/sendgrid.yml", "user_agent": "Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/56.0.2924.87 YaBrowser\/17.3.0.1785 Yowser\/2.5 Safari\/537.36", "waf_tags": [ "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/config\/sendgrid.yml HTTP\/1.1", "request_sample": "GET \/config\/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/56.0.2924.87 YaBrowser\/17.3.0.1785 Yowser\/2.5 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConn", "payload_snippet": "GET \/config\/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, li", "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "546e719bd7451723f24bfdf7755dcde3111677a0", "protocol_details": { "http_method": "GET", "http_path": "\/config\/sendgrid.yml", "request_line": "GET \/config\/sendgrid.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/56.0.2924.87 YaBrowser\/17.3.0.1785 Yowser\/2.\u2026", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, li", "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/sendgrid.yml", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 100%", "classification_reason_label_fr": "Tags WAF: nosqli-3 \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 56, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/sendgrid.yml", "request_line": "GET \/config\/sendgrid.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/56.0.2924.87 YaBrowser\/17.3.0.1785 Yowser\/2.\u2026", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/sendgrid.yml", "evidence_snippet": "GET \/config\/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, li", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 56 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:55 UTC	TCP	8150 · HTTP	http	Flood / DDoS http flood · via HTTP:8150 · (tentative d'exploit) · → /config/sendgrid.js	Élevée	Élevé · 66
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /config/sendgrid.js UA Mozilla/5.0 (Linux; Android 8.1; PBBM00 Build/O11019) AppleWebK… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/sendgrid.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /config/sendgrid.js Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 66 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/sendgrid.js HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.1; PBBM00 Build/O11019) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 YaBrowser/17.6.1.345.00 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/sendgrid.js HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Linux; Android 8.1; PBBM00 Build/O11019) Apple Requête brute (extrait) GET /config/sendgrid.js HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Linux; Android 8.1; PBBM00 Build/O11019) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 YaBrowser/17.6.1.345.00 Mobile Safari/537.36 Accept-Charset: utf-8 Acce Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "js", "http_ua_hash": "2d955ae65e62d2618aeaa0697e8bd4e23b6cd760", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "dfc017b1f5d967c2ea8d62566bf7510e84bb5637", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 296, "payload_entropy": 5.444007722171398, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 66, "tag_count": 5, "anomaly_count": 0, "campaign_key": "9676e1a272e946b36a3b37a61109a899b616f427", "event_fingerprint": "655bc86b310e64566fa4ea202ad7d97f5eecbc00", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f3cec72b3fdea9cbaeb6091209e89337", "payload_hash": "25c75687c404bc842f9cd2d646b93efe", "path_pattern_hash": "cf64c655ed198e8031863155489c92f2" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 66 }, "payload_preview": "GET \/config\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1; PBBM00 Build\/O11019) Apple", "method": "GET", "path": "\/config\/sendgrid.js", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1; PBBM00 Build\/O11019) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.110 YaBrowser\/17.6.1.345.00 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/sendgrid.js HTTP\/1.1", "request_sample": "GET \/config\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1; PBBM00 Build\/O11019) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.110 YaBrowser\/17.6.1.345.00 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAcce", "payload_snippet": "GET \/config\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1; PBBM00 Build\/O11019) Apple", "evidence": { "method": "GET", "path": "\/config\/sendgrid.js", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1; PBBM00 Build\/O11019) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.110 YaBrowser\/17.6.1.345.00 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/sendgrid.js HTTP\/1.1", "request_sample": "GET \/config\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1; PBBM00 Build\/O11019) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.110 YaBrowser\/17.6.1.345.00 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAcce", "payload_snippet": "GET \/config\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1; PBBM00 Build\/O11019) Apple", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "010db07824a12df21330f1c1dd041aef690f8576", "protocol_details": { "http_method": "GET", "http_path": "\/config\/sendgrid.js", "request_line": "GET \/config\/sendgrid.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1; PBBM00 Build\/O11019) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.110 YaBro\u2026", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1; PBBM00 Build\/O11019) Apple", "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/sendgrid.js", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 66, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/sendgrid.js", "request_line": "GET \/config\/sendgrid.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1; PBBM00 Build\/O11019) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.110 YaBro\u2026", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/sendgrid.js", "evidence_snippet": "GET \/config\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1; PBBM00 Build\/O11019) Apple", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:55 UTC	TCP	8150 · HTTP	http	Flood / DDoS http flood · via HTTP:8150 · (tentative d'exploit) · → /sendgrid-config.json	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid-config.json UA Mozilla/5.0 (Linux; Android 8.0.0; SM-N950F) AppleWebKit/537.36… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid-config.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /sendgrid-config.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid-config.json HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.0.0; SM-N950F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid-config.json HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-N950F) AppleWebKit/ Requête brute (extrait) GET /sendgrid-config.json HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-N950F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: c Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "d3c60c85e60768bd45ac6bf6e4d21aace1f8e952", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "7d5ebcf94187fd12c4375ea09c6c54bd408b8303", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 264, "payload_entropy": 5.4173546139411775, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.5, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "faec9de111549281d11225263d87c6cdbccacb7a", "event_fingerprint": "d7cc2757cb65d01ba3f8cff3d1d187ed2158fbe1", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "bc9cb3965ca5b45b9c3f658262251f1c", "payload_hash": "c137bf82c56d5f6056641d405b84b8f6", "path_pattern_hash": "170a7f6ff312a524729718105c471f02" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-N950F) AppleWebKit\/", "method": "GET", "path": "\/sendgrid-config.json", "user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-N950F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid-config.json HTTP\/1.1", "request_sample": "GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-N950F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: c", "payload_snippet": "GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-N950F) AppleWebKit\/", "evidence": { "method": "GET", "path": "\/sendgrid-config.json", "user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-N950F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid-config.json HTTP\/1.1", "request_sample": "GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-N950F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: c", "payload_snippet": "GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-N950F) AppleWebKit\/", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "45f367736cdd2b1f5e609a2abe864c4da3be91fc", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid-config.json", "request_line": "GET \/sendgrid-config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-N950F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/5\u2026", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-N950F) AppleWebKit\/", "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid-config.json", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid-config.json", "request_line": "GET \/sendgrid-config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-N950F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/5\u2026", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid-config.json", "evidence_snippet": "GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-N950F) AppleWebKit\/", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:55 UTC	TCP	8150 · HTTP	http	Flood / DDoS http flood · via HTTP:8150 · (tentative d'exploit) · → /sendgrid.yml	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid.yml UA Mozilla/5.0 (Linux; U; Android 9; zh-cn; PCCM00 Build/PKQ1.1902… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /sendgrid.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid.yml HTTP/1.1` User-Agent Mozilla/5.0 (Linux; U; Android 9; zh-cn; PCCM00 Build/PKQ1.190223.001) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/70.0.3538.80 Mobile Safari/537.36 OppoBrowser/20.6.0.0.2beta Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid.yml HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Linux; U; Android 9; zh-cn; PCCM00 Build/PKQ1.190223 Requête brute (extrait) GET /sendgrid.yml HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Linux; U; Android 9; zh-cn; PCCM00 Build/PKQ1.190223.001) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/70.0.3538.80 Mobile Safari/537.36 OppoBrowser/20.6.0.0.2beta Ac Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "776c6025c89a1285c01b4856cc42e67106079190", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "fe30445de825aa0bffca483abd821a9f6a87533d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 321, "payload_entropy": 5.461865923407207, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.5, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "faec9de111549281d11225263d87c6cdbccacb7a", "event_fingerprint": "f51ac1f1ab6fac5dba040ff0b5aa782a445c6958", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b27e2ce6c738b4cdbf64a1d014592232", "payload_hash": "9cee6a0284f8fe1e16702e77090db766", "path_pattern_hash": "7777bc3cc4ee53dc76c001dce4e79fd5" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 9; zh-cn; PCCM00 Build\/PKQ1.190223", "method": "GET", "path": "\/sendgrid.yml", "user_agent": "Mozilla\/5.0 (Linux; U; Android 9; zh-cn; PCCM00 Build\/PKQ1.190223.001) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/70.0.3538.80 Mobile Safari\/537.36 OppoBrowser\/20.6.0.0.2beta", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.yml HTTP\/1.1", "request_sample": "GET \/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 9; zh-cn; PCCM00 Build\/PKQ1.190223.001) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/70.0.3538.80 Mobile Safari\/537.36 OppoBrowser\/20.6.0.0.2beta\r\nAc", "payload_snippet": "GET \/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 9; zh-cn; PCCM00 Build\/PKQ1.190223", "evidence": { "method": "GET", "path": "\/sendgrid.yml", "user_agent": "Mozilla\/5.0 (Linux; U; Android 9; zh-cn; PCCM00 Build\/PKQ1.190223.001) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/70.0.3538.80 Mobile Safari\/537.36 OppoBrowser\/20.6.0.0.2beta", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.yml HTTP\/1.1", "request_sample": "GET \/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 9; zh-cn; PCCM00 Build\/PKQ1.190223.001) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/70.0.3538.80 Mobile Safari\/537.36 OppoBrowser\/20.6.0.0.2beta\r\nAc", "payload_snippet": "GET \/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 9; zh-cn; PCCM00 Build\/PKQ1.190223", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5afaf5d7244400eb413a06268059cfc3dd312218", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.yml", "request_line": "GET \/sendgrid.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 9; zh-cn; PCCM00 Build\/PKQ1.190223.001) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4\u2026", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 9; zh-cn; PCCM00 Build\/PKQ1.190223", "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.yml", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.yml", "request_line": "GET \/sendgrid.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 9; zh-cn; PCCM00 Build\/PKQ1.190223.001) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4\u2026", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.yml", "evidence_snippet": "GET \/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 9; zh-cn; PCCM00 Build\/PKQ1.190223", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:55 UTC	TCP	8150 · HTTP	http	Flood / DDoS http flood · via HTTP:8150 · (tentative d'exploit) · → /app/sendgrid.py	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /app/sendgrid.py UA Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /app/sendgrid.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /app/sendgrid.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/sendgrid.py HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /app/sendgrid.py HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML Requête brute (extrait) GET /app/sendgrid.py HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "py", "http_ua_hash": "0b64792790bfe5aae712bab74a5c284677cee5d4", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "a743b8206ca823c369ef5eb8bfeb21a48b56cf7e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 245, "payload_entropy": 5.420469994568851, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 65, "tag_count": 4, "anomaly_count": 0, "campaign_key": "934cfa808198138f459be647ab1957f3c134b957", "event_fingerprint": "be83187862b1195a77845a88ca4cfc8ca8beb475", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 65, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "303d077d9de5f8a596d41b4f0a301373", "payload_hash": "c3d51ac7486d65617e94ccc5dfeea600", "path_pattern_hash": "bbc1021582141e8e631079ccf6c69d4d" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/app\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML", "method": "GET", "path": "\/app\/sendgrid.py", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/app\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML", "evidence": { "method": "GET", "path": "\/app\/sendgrid.py", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/app\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "afeb6e0511c686e3692852fe54c2d71857fc51d3", "protocol_details": { "http_method": "GET", "http_path": "\/app\/sendgrid.py", "request_line": "GET \/app\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML", "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/sendgrid.py", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 65, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/app\/sendgrid.py", "request_line": "GET \/app\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/sendgrid.py", "evidence_snippet": "GET \/app\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:55 UTC	TCP	8150 · HTTP	http	Flood / DDoS http flood · via HTTP:8150 · (tentative d'exploit) · → /mailer/sendgrid.py	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /mailer/sendgrid.py UA Mozilla/5.0 (X11; Linux x86_64; rv:2.0.1) Gecko/20100101 Firefo… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /mailer/sendgrid.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /mailer/sendgrid.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /mailer/sendgrid.py HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /mailer/sendgrid.py HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:2.0.1) Gecko/20100101 Fi Requête brute (extrait) GET /mailer/sendgrid.py HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "py", "http_ua_hash": "9fe1d434762cf4ac057833518979290540fcab3d", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "9b85ba3fc4ac4a1549d12be2ecef5722bb151f3a", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 208, "payload_entropy": 5.316250514420366, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 65, "tag_count": 4, "anomaly_count": 0, "campaign_key": "934cfa808198138f459be647ab1957f3c134b957", "event_fingerprint": "15e462774ee82afa9207dfb791da5458123c99a2", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 65, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "9e891955b533973e79af7e6349946bd1", "payload_hash": "2218382c7bc541a6edb690560758aa5f", "path_pattern_hash": "8c4b21a7860b8f6d464d0085eb236a5b" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/mailer\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:2.0.1) Gecko\/20100101 Fi", "method": "GET", "path": "\/mailer\/sendgrid.py", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/mailer\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/mailer\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/mailer\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:2.0.1) Gecko\/20100101 Fi", "evidence": { "method": "GET", "path": "\/mailer\/sendgrid.py", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/mailer\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/mailer\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/mailer\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:2.0.1) Gecko\/20100101 Fi", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "70c4be655fc8fd3ab28c9530fbd3fd5680c8bae8", "protocol_details": { "http_method": "GET", "http_path": "\/mailer\/sendgrid.py", "request_line": "GET \/mailer\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/mailer\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:2.0.1) Gecko\/20100101 Fi", "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mailer\/sendgrid.py", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 65, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/mailer\/sendgrid.py", "request_line": "GET \/mailer\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mailer\/sendgrid.py", "evidence_snippet": "GET \/mailer\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:2.0.1) Gecko\/20100101 Fi", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:55 UTC	TCP	8150 · HTTP	http	Flood / DDoS http flood · via HTTP:8150 · (tentative d'exploit) · → /config/sendgrid.json	Élevée	Élevé · 66
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /config/sendgrid.json UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/sendgrid.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /config/sendgrid.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 66 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/sendgrid.json HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.19 Safari/537.36 Edg/77.0.235.9 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/sendgrid.json HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebK Requête brute (extrait) GET /config/sendgrid.json HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.19 Safari/537.36 Edg/77.0.235.9 Accept-Charset: utf-8 Accept-Encoding: gzip Co Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "a413bcd835c724e212abb93349bbf67f2616539a", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "6c93d1b9fbdf8e8d128caa00a09f6faf39a40791", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 275, "payload_entropy": 5.422421232772195, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 66, "tag_count": 5, "anomaly_count": 0, "campaign_key": "9676e1a272e946b36a3b37a61109a899b616f427", "event_fingerprint": "b4242fc1ea621fc56d3cd683d2ab03f061934939", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "4c251a092d26971ed458f84b5ac267d9", "payload_hash": "bdaa62908ab23a09714690c13006225b", "path_pattern_hash": "b3c041376e66dccb94b76d7207504df9" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 66 }, "payload_preview": "GET \/config\/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebK", "method": "GET", "path": "\/config\/sendgrid.json", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36 Edg\/77.0.235.9", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/sendgrid.json HTTP\/1.1", "request_sample": "GET \/config\/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36 Edg\/77.0.235.9\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCo", "payload_snippet": "GET \/config\/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebK", "evidence": { "method": "GET", "path": "\/config\/sendgrid.json", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36 Edg\/77.0.235.9", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/sendgrid.json HTTP\/1.1", "request_sample": "GET \/config\/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36 Edg\/77.0.235.9\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCo", "payload_snippet": "GET \/config\/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebK", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8104a3cdf9993a5c117e43c641238e9b7f4f0cf0", "protocol_details": { "http_method": "GET", "http_path": "\/config\/sendgrid.json", "request_line": "GET \/config\/sendgrid.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.3\u2026", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebK", "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/sendgrid.json", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 66, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/sendgrid.json", "request_line": "GET \/config\/sendgrid.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.3\u2026", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/sendgrid.json", "evidence_snippet": "GET \/config\/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebK", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:55 UTC	TCP	8150 · HTTP	http	Flood / DDoS http flood · via HTTP:8150 · (tentative d'exploit) · → /sendgrid.yaml	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid.yaml UA Mozilla/5.0 (Linux; Android 9; GM1917) AppleWebKit/537.36 (KHTM… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid.yaml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /sendgrid.yaml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid.yaml HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; GM1917) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid.yaml HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Linux; Android 9; GM1917) AppleWebKit/537.36 (KHTML Requête brute (extrait) GET /sendgrid.yaml HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Linux; Android 9; GM1917) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yaml", "http_ua_hash": "a72cb44b77f705dfad42bf99e191154153cac1f4", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "6ddb9259a81c5943f174c8762a08f320950440bd", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 252, "payload_entropy": 5.410837781774884, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.5, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "faec9de111549281d11225263d87c6cdbccacb7a", "event_fingerprint": "bb223235994d313e1454e44c69674f17b4ec2a83", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "63ccc5b3b08cee6d0ff7cd59b3427dcd", "payload_hash": "db5d3e5a5b8b2dd74adf56cbdff6fa13", "path_pattern_hash": "586d42da805584afffe4b06de4328fe7" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/sendgrid.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; GM1917) AppleWebKit\/537.36 (KHTML", "method": "GET", "path": "\/sendgrid.yaml", "user_agent": "Mozilla\/5.0 (Linux; Android 9; GM1917) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.yaml HTTP\/1.1", "request_sample": "GET \/sendgrid.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; GM1917) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; GM1917) AppleWebKit\/537.36 (KHTML", "evidence": { "method": "GET", "path": "\/sendgrid.yaml", "user_agent": "Mozilla\/5.0 (Linux; Android 9; GM1917) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.yaml HTTP\/1.1", "request_sample": "GET \/sendgrid.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; GM1917) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; GM1917) AppleWebKit\/537.36 (KHTML", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "aa69e477a3febde9d98b053be5ee8f127a0b1931", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.yaml", "request_line": "GET \/sendgrid.yaml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; GM1917) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; GM1917) AppleWebKit\/537.36 (KHTML", "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.yaml", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.yaml", "request_line": "GET \/sendgrid.yaml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; GM1917) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.yaml", "evidence_snippet": "GET \/sendgrid.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; GM1917) AppleWebKit\/537.36 (KHTML", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:55 UTC	TCP	8150 · HTTP	http	Flood / DDoS http flood · via HTTP:8150 · (tentative d'exploit) · → /sendgrid.config.json	Élevée	Élevé · 66
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid.config.json UA Mozilla/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleW… Émulateur HTTP WAF 20 Recommandation Investiguer Tags 950086:sqli-21 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid.config.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /sendgrid.config.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 66 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid.config.json HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/16C104 MicroMessenger/7.0.5(0x17000523) NetType/4G Language/zh_CN Règles WAF sqli-21 rce-0 nosqli-3 Payload (extrait) GET /sendgrid.config.json HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) Requête brute (extrait) GET /sendgrid.config.json HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/16C104 MicroMessenger/7.0.5(0x17000523) NetType/4G Language/zh_CN Accept-Charse Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "4af7bc39912e902dac64ddc9ebcef81f82909553", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "eeb189e33107611f717db38a6842e4ac40f53918", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 310, "payload_entropy": 5.424811697521363, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 88, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 88, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 66, "tag_count": 4, "anomaly_count": 0, "campaign_key": "b839b6dd278b9122fc28376b36b208e9c1cd9529", "event_fingerprint": "ec3d18e28800557e0ba0bf2a4f5e234c64fbc3d4", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 88, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 66, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "983f8800255038b3da137fa504c1ce5c", "payload_hash": "723052678f0dcad69c63aa81ac361731", "path_pattern_hash": "d03aef47d2b763bc56a13f3ba838e778" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 66 }, "payload_preview": "GET \/sendgrid.config.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) ", "method": "GET", "path": "\/sendgrid.config.json", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/16C104 MicroMessenger\/7.0.5(0x17000523) NetType\/4G Language\/zh_CN", "waf_tags": [ "950086:sqli-21", "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "sqli-21", "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.config.json HTTP\/1.1", "request_sample": "GET \/sendgrid.config.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/16C104 MicroMessenger\/7.0.5(0x17000523) NetType\/4G Language\/zh_CN\r\nAccept-Charse", "payload_snippet": "GET \/sendgrid.config.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X)", "evidence": { "method": "GET", "path": "\/sendgrid.config.json", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/16C104 MicroMessenger\/7.0.5(0x17000523) NetType\/4G Language\/zh_CN", "waf_tags": [ "950086:sqli-21", "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "sqli-21", "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.config.json HTTP\/1.1", "request_sample": "GET \/sendgrid.config.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/16C104 MicroMessenger\/7.0.5(0x17000523) NetType\/4G Language\/zh_CN\r\nAccept-Charse", "payload_snippet": "GET \/sendgrid.config.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X)", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1a5a86df59744381cc5a6223476f9c1f7ef36d13", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.config.json", "request_line": "GET \/sendgrid.config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/16C104 MicroMe\u2026", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid.config.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X)", "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.config.json", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 88, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 66, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 66, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.config.json", "request_line": "GET \/sendgrid.config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/16C104 MicroMe\u2026", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.config.json", "evidence_snippet": "GET \/sendgrid.config.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X)", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 88 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950086:sqli-21", "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:54 UTC	TCP	8150 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8150 · (tentative d'exploit) · → /wp-config.php	Élevée	Élevé · 67
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /wp-config.php UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950518:leak-5 http_backup_file_scan Cible HTTP GET /wp-config.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /wp-config.php Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 67 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0195 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /wp-config.php Ligne de requête `GET /wp-config.php HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-5 Payload (extrait) GET /wp-config.php HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Requête brute (extrait) GET /wp-config.php HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "php", "http_ua_hash": "4b34faf3bb1b579874fe2a9de9ae1f9c2939f5e1", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "614b4fba7293e8b03e4e9dd43da4a4c26e954f4b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 238, "payload_entropy": 5.430260235351189, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.6, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 67, "tag_count": 6, "anomaly_count": 0, "campaign_key": "8d396772611a34853ae25e6f5cd50296a076e9b2", "event_fingerprint": "33dd7491907da344c3d6a9733dcd5d54a9541494", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0195", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0195", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0195" ], "matched_pattern_names": [ "Probe \/wp-config.php" ], "pattern_ids": [ "pat-0195" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 67, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "fdb80025e99489fe497e7387349cd0a4", "payload_hash": "033d7af47db144145ea1beec8f28b643", "path_pattern_hash": "c8d91e6e96b16ee20ca9851d4b7ccb28" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 67 }, "payload_preview": "GET \/wp-config.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like ", "method": "GET", "path": "\/wp-config.php", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.181 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-5" ], "request_line": "GET \/wp-config.php HTTP\/1.1", "request_sample": "GET \/wp-config.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.181 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/wp-config.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like", "evidence": { "method": "GET", "path": "\/wp-config.php", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.181 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-5" ], "request_line": "GET \/wp-config.php HTTP\/1.1", "request_sample": "GET \/wp-config.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.181 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/wp-config.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b72539ae51346ceaa97a594f9fce2cdb603b5f63", "protocol_details": { "http_method": "GET", "http_path": "\/wp-config.php", "request_line": "GET \/wp-config.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.181 Safari\/537.36", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/wp-config.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like", "attack_vector": "config file probe \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wp-config.php", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 67, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 67, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0195", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0195", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/wp-config.php", "request_line": "GET \/wp-config.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.181 Safari\/537.36", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wp-config.php", "evidence_snippet": "GET \/wp-config.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:54 UTC	TCP	8150 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8150 · (tentative d'exploit) · → /private/config.json	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /private/config.json UA Mozilla/5.0 (Linux; Android 4.4.4; XT1032 Build/KXB21.14-L1.61)… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_private Cible HTTP GET /private/config.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /private/config.json Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /private/config.json HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 4.4.4; XT1032 Build/KXB21.14-L1.61) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.94 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /private/config.json HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; XT1032 Build/KXB21.14-L Requête brute (extrait) GET /private/config.json HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; XT1032 Build/KXB21.14-L1.61) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.94 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: g Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "6d2b46e8278920412ee30aff45a6b683b3b6e8a9", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "9da8385e7491d9f52a230e3a1c8c565aba119417", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 282, "payload_entropy": 5.458354664065299, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 84, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.6, "risk_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 6, "anomaly_count": 0, "campaign_key": "2e8c25d6768a7a28aab460bd53a3b3d435014ae6", "event_fingerprint": "35e7e928cf99354fa4d49b9882729ef2a1f10df3", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e3929104ea59abcdd881b7a256fedb17", "payload_hash": "9ed542fb66bdd4cc1ba76a69cb003423", "path_pattern_hash": "a8e2e774a183bdb09e7d488718c8d6ab" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/private\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.4; XT1032 Build\/KXB21.14-L", "method": "GET", "path": "\/private\/config.json", "user_agent": "Mozilla\/5.0 (Linux; Android 4.4.4; XT1032 Build\/KXB21.14-L1.61) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/45.0.2454.94 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/private\/config.json HTTP\/1.1", "request_sample": "GET \/private\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.4; XT1032 Build\/KXB21.14-L1.61) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/45.0.2454.94 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: g", "payload_snippet": "GET \/private\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.4; XT1032 Build\/KXB21.14-L", "evidence": { "method": "GET", "path": "\/private\/config.json", "user_agent": "Mozilla\/5.0 (Linux; Android 4.4.4; XT1032 Build\/KXB21.14-L1.61) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/45.0.2454.94 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/private\/config.json HTTP\/1.1", "request_sample": "GET \/private\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.4; XT1032 Build\/KXB21.14-L1.61) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/45.0.2454.94 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: g", "payload_snippet": "GET \/private\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.4; XT1032 Build\/KXB21.14-L", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "adc214930bde5fb494eed7a32787289751c6d501", "protocol_details": { "http_method": "GET", "http_path": "\/private\/config.json", "request_line": "GET \/private\/config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 4.4.4; XT1032 Build\/KXB21.14-L1.61) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/45.0.2454\u2026", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/private\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.4; XT1032 Build\/KXB21.14-L", "attack_vector": "config file probe \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/private\/config.json", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/private\/config.json", "request_line": "GET \/private\/config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 4.4.4; XT1032 Build\/KXB21.14-L1.61) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/45.0.2454\u2026", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/private\/config.json", "evidence_snippet": "GET \/private\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.4; XT1032 Build\/KXB21.14-L", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_private", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:54 UTC	TCP	8150 · HTTP	http	Flood / DDoS http flood · via HTTP:8150 · (tentative d'exploit) · → /services/application.yml	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /services/application.yml UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /services/application.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /services/application.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /services/application.yml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.42 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /services/application.yml HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit Requête brute (extrait) GET /services/application.yml HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.42 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "yml", "http_ua_hash": "45f91def00f8b8a4e84a5e46a0602e992f7966c1", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "55b6d2ef8836af67e6f27bf09e5982be1b55ff6c", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 258, "payload_entropy": 5.417799664005833, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 65, "tag_count": 4, "anomaly_count": 0, "campaign_key": "328f00c27a48e8749c9ef4d5a4ca729c78d934ab", "event_fingerprint": "267ab7a3893603d0e7d6089fc024872f545bf1b6", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 65, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "236db24e4793d97e5cd528d7002c4996", "payload_hash": "1be530c2687ec8515dd059b820d0d3e4", "path_pattern_hash": "427a79bd587af67e27894e14297375f5" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/services\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit", "method": "GET", "path": "\/services\/application.yml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.42 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/services\/application.yml HTTP\/1.1", "request_sample": "GET \/services\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.42 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/services\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit", "evidence": { "method": "GET", "path": "\/services\/application.yml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.42 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/services\/application.yml HTTP\/1.1", "request_sample": "GET \/services\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.42 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/services\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "87c0d75150eda28db93f3731a108d7661dbfcd44", "protocol_details": { "http_method": "GET", "http_path": "\/services\/application.yml", "request_line": "GET \/services\/application.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.42 Safari\/537.36", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/services\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit", "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/services\/application.yml", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 65, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/services\/application.yml", "request_line": "GET \/services\/application.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.42 Safari\/537.36", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/services\/application.yml", "evidence_snippet": "GET \/services\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:54 UTC	TCP	8150 · HTTP	http	Flood / DDoS http flood · via HTTP:8150 · (tentative d'exploit) · → /local-config.php	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /local-config.php UA Opera/9.80 (Macintosh; Intel Mac OS X 10.4.11; U; en) Presto/2.… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /local-config.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /local-config.php Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /local-config.php HTTP/1.1` User-Agent Opera/9.80 (Macintosh; Intel Mac OS X 10.4.11; U; en) Presto/2.7.62 Version/11.00 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /local-config.php HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Opera/9.80 (Macintosh; Intel Mac OS X 10.4.11; U; en) Presto/ Requête brute (extrait) GET /local-config.php HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Opera/9.80 (Macintosh; Intel Mac OS X 10.4.11; U; en) Presto/2.7.62 Version/11.00 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "php", "http_ua_hash": "beb66f24b12bddd097d4f2d5110b8998b100a9e7", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "f971bf8f22fd021ef405c24b8881915ea7b1fbe0", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 217, "payload_entropy": 5.209373576149105, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.5, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "faec9de111549281d11225263d87c6cdbccacb7a", "event_fingerprint": "293ed7677526e374cdeffcd68efb3ed927ceee7f", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "921f45a5ed02a17bacd647e73fd6b64b", "payload_hash": "18b87ddd048b6ea54f4080433b78bfa3", "path_pattern_hash": "00f0907ad6288d75ebc36cdda29800e8" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/local-config.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Opera\/9.80 (Macintosh; Intel Mac OS X 10.4.11; U; en) Presto\/", "method": "GET", "path": "\/local-config.php", "user_agent": "Opera\/9.80 (Macintosh; Intel Mac OS X 10.4.11; U; en) Presto\/2.7.62 Version\/11.00", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/local-config.php HTTP\/1.1", "request_sample": "GET \/local-config.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Opera\/9.80 (Macintosh; Intel Mac OS X 10.4.11; U; en) Presto\/2.7.62 Version\/11.00\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/local-config.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Opera\/9.80 (Macintosh; Intel Mac OS X 10.4.11; U; en) Presto\/", "evidence": { "method": "GET", "path": "\/local-config.php", "user_agent": "Opera\/9.80 (Macintosh; Intel Mac OS X 10.4.11; U; en) Presto\/2.7.62 Version\/11.00", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/local-config.php HTTP\/1.1", "request_sample": "GET \/local-config.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Opera\/9.80 (Macintosh; Intel Mac OS X 10.4.11; U; en) Presto\/2.7.62 Version\/11.00\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/local-config.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Opera\/9.80 (Macintosh; Intel Mac OS X 10.4.11; U; en) Presto\/", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "064da55ecac4cdbe98f82cbe25118ab6cab238e8", "protocol_details": { "http_method": "GET", "http_path": "\/local-config.php", "request_line": "GET \/local-config.php HTTP\/1.1", "http_user_agent": "Opera\/9.80 (Macintosh; Intel Mac OS X 10.4.11; U; en) Presto\/2.7.62 Version\/11.00", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/local-config.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Opera\/9.80 (Macintosh; Intel Mac OS X 10.4.11; U; en) Presto\/", "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/local-config.php", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/local-config.php", "request_line": "GET \/local-config.php HTTP\/1.1", "http_user_agent": "Opera\/9.80 (Macintosh; Intel Mac OS X 10.4.11; U; en) Presto\/2.7.62 Version\/11.00", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/local-config.php", "evidence_snippet": "GET \/local-config.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Opera\/9.80 (Macintosh; Intel Mac OS X 10.4.11; U; en) Presto\/", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:54 UTC	TCP	8150 · HTTP	http	Sonde fichier credential / clé credential file probe · via HTTP:8150 · (tentative d'exploit) · → /deploy/secrets.json	Élevée	Élevé · 66
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET /deploy/secrets.json UA Mozilla/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit/537.… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_k8s_probe Cible HTTP GET /deploy/secrets.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /deploy/secrets.json Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier credential/clé · Règle WAF « rce-0 » · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 66 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux pat-0496 Upstream Waf Score Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred Secrets JSON file Ligne de requête `GET /deploy/secrets.json HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.101 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /deploy/secrets.json HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit Requête brute (extrait) GET /deploy/secrets.json HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.101 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "f3835d35cd2637e9a5d15acde80637dcb0ee57ff", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "60385d96f8574ab4bcb6af1ba09ecde50592baec", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 266, "payload_entropy": 5.393065517669201, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 84, "risk_classification": 82, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 66, "tag_count": 5, "anomaly_count": 0, "campaign_key": "659c5a25246192d31e1f41ad0875a4b72eadd1c4", "event_fingerprint": "e019ee817c88302dd6d982b727b060e4371a98de", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0496", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "pat-0496", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0496" ], "matched_pattern_names": [ "Cred Secrets JSON file" ], "pattern_ids": [ "pat-0496" ], "confidence_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "lfi_attack", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1e64156bbeb33a5302cb2a2ca45ba91b", "payload_hash": "378836cf1b784bef4e061b2a137e6e14", "path_pattern_hash": "be3edf5651a95f93a63bb6eed77eea15" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 66 }, "payload_preview": "GET \/deploy\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit", "method": "GET", "path": "\/deploy\/secrets.json", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/deploy\/secrets.json HTTP\/1.1", "request_sample": "GET \/deploy\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection:", "payload_snippet": "GET \/deploy\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit", "evidence": { "method": "GET", "path": "\/deploy\/secrets.json", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/deploy\/secrets.json HTTP\/1.1", "request_sample": "GET \/deploy\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection:", "payload_snippet": "GET \/deploy\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8a6103e214aa4cab28d5c71b4bfca367ef9a7090", "protocol_details": { "http_method": "GET", "http_path": "\/deploy\/secrets.json", "request_line": "GET \/deploy\/secrets.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safar\u2026", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/deploy\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit", "attack_vector": "credential file probe \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/deploy\/secrets.json", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 66, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "pat-0496", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "pat-0496", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/deploy\/secrets.json", "request_line": "GET \/deploy\/secrets.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safar\u2026", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "credential file probe \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/deploy\/secrets.json", "evidence_snippet": "GET \/deploy\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_k8s_probe", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:54 UTC	TCP	8150 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8150 · (tentative d'exploit) · → /wp-config.bak	Élevée	Élevé · 67
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /wp-config.bak UA Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950521:leak-8 http_backup_file_scan Cible HTTP GET /wp-config.bak TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /wp-config.bak Service HTTP Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 67 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux SIGMA-web-config-leak Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /wp-config.bak HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.96 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-8 Payload (extrait) GET /wp-config.bak HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /wp-config.bak HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.96 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "bak", "http_ua_hash": "e5d8976fad48d6744084e68790cdf6a60af1d198", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "d73217ca969ed03b12511b11b89b08b96130cc19", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 242, "payload_entropy": 5.43545571440882, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.6, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 67, "tag_count": 6, "anomaly_count": 0, "campaign_key": "fba85c5ec12507ded91d854d7d5f3fa84295fc24", "event_fingerprint": "4b095f7d2f48d68aa238ce5bc758f6ea2bd3092c", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 143, "precision_signals": [ "SIGMA-web-config-leak", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 67, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1193ba43b94cb79d8bebeb09a195edd6", "payload_hash": "a3d62396d43bff09ab40c756ff2932f9", "path_pattern_hash": "513fb4daa4f4d1d20414ef0e31bb8617" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 67 }, "payload_preview": "GET \/wp-config.bak HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, ", "method": "GET", "path": "\/wp-config.bak", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.96 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-8" ], "request_line": "GET \/wp-config.bak HTTP\/1.1", "request_sample": "GET \/wp-config.bak HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.96 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/wp-config.bak HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/wp-config.bak", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.96 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-8" ], "request_line": "GET \/wp-config.bak HTTP\/1.1", "request_sample": "GET \/wp-config.bak HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.96 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/wp-config.bak HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c98bf629ddb36f2a783ac33153f3fe6193a8d293", "protocol_details": { "http_method": "GET", "http_path": "\/wp-config.bak", "request_line": "GET \/wp-config.bak HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.96 Safari\/537.36", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/wp-config.bak HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,", "attack_vector": "config file probe \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wp-config.bak", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 67, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 67, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/wp-config.bak", "request_line": "GET \/wp-config.bak HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.96 Safari\/537.36", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wp-config.bak", "evidence_snippet": "GET \/wp-config.bak HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950521:leak-8", "http_backup_file_scan", "http_backup_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:54 UTC	TCP	8150 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8150 · (tentative d'exploit) · → /bootstrap/cache/config.php	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /bootstrap/cache/config.php UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_sensitive_path Cible HTTP GET /bootstrap/cache/config.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /bootstrap/cache/config.php Service HTTP Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Generic config.php Ligne de requête `GET /bootstrap/cache/config.php HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3887.7 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /bootstrap/cache/config.php HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebK Requête brute (extrait) GET /bootstrap/cache/config.php HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3887.7 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "php", "http_ua_hash": "dce620796822c8d4fac5c00d5c660eb031d9c359", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "bac3b02f1ce936e593505ba9114b968f810c00c8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 259, "payload_entropy": 5.391888583629921, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 84, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 5, "anomaly_count": 0, "campaign_key": "7f8b217ccd674ba6517da66016800735e4064716", "event_fingerprint": "361450fb6e6562540331b3b43fd7c6e0eeb6031c", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0118" ], "matched_pattern_names": [ "LFI Generic config.php" ], "pattern_ids": [ "pat-0118" ], "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0d085d781fdc301aec97e1dcd81b2852", "payload_hash": "49816d9506617234c2fccd095db31029", "path_pattern_hash": "9823c90115688ca8a60aa1cefb3b4c36" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/bootstrap\/cache\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebK", "method": "GET", "path": "\/bootstrap\/cache\/config.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3887.7 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/bootstrap\/cache\/config.php HTTP\/1.1", "request_sample": "GET \/bootstrap\/cache\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3887.7 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/bootstrap\/cache\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebK", "evidence": { "method": "GET", "path": "\/bootstrap\/cache\/config.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3887.7 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/bootstrap\/cache\/config.php HTTP\/1.1", "request_sample": "GET \/bootstrap\/cache\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3887.7 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/bootstrap\/cache\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebK", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "85d264aec0d5c6d7b4d7cce30a3635fbb2af7bdb", "protocol_details": { "http_method": "GET", "http_path": "\/bootstrap\/cache\/config.php", "request_line": "GET \/bootstrap\/cache\/config.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3887.7 Safari\/537.36", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/bootstrap\/cache\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebK", "attack_vector": "config file probe \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/bootstrap\/cache\/config.php", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/bootstrap\/cache\/config.php", "request_line": "GET \/bootstrap\/cache\/config.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3887.7 Safari\/537.36", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/bootstrap\/cache\/config.php", "evidence_snippet": "GET \/bootstrap\/cache\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebK", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:54 UTC	TCP	8150 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8150 · (tentative d'exploit) · → /v1/config.json	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /v1/config.json UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /v1/config.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /v1/config.json Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — 4 tag(s) WAF Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /v1/config.json HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.4 (KHTML like Gecko) Chrome/22.0.1229.79 Safari/537.4 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /v1/config.json HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537. Requête brute (extrait) GET /v1/config.json HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.4 (KHTML like Gecko) Chrome/22.0.1229.79 Safari/537.4 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "074dde9236a1f8cf03020371fe0dbb0e8026df12", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "e1865ad3140924e10c86b3b0491226fecbd86d31", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 250, "payload_entropy": 5.426078445794409, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.6, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 6, "anomaly_count": 0, "campaign_key": "b2c26408f2457e445b519648113f5f8b18fbde3e", "event_fingerprint": "f9b0af195b1cc01f34bc8ac6a4fda72ba219bd1b", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "9d5fb344a94baff49f7b4cfde7d3d1aa", "payload_hash": "64244de6e715e2a552d851999bb15ace", "path_pattern_hash": "4172adffd8adf564d7794f5ddcfe5fac" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/v1\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit\/537.", "method": "GET", "path": "\/v1\/config.json", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit\/537.4 (KHTML like Gecko) Chrome\/22.0.1229.79 Safari\/537.4", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/v1\/config.json HTTP\/1.1", "request_sample": "GET \/v1\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit\/537.4 (KHTML like Gecko) Chrome\/22.0.1229.79 Safari\/537.4\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/v1\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit\/537.", "evidence": { "method": "GET", "path": "\/v1\/config.json", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit\/537.4 (KHTML like Gecko) Chrome\/22.0.1229.79 Safari\/537.4", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/v1\/config.json HTTP\/1.1", "request_sample": "GET \/v1\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit\/537.4 (KHTML like Gecko) Chrome\/22.0.1229.79 Safari\/537.4\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/v1\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit\/537.", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ba0977b9d1312a5ac99976e29952edd8d2bb3e95", "protocol_details": { "http_method": "GET", "http_path": "\/v1\/config.json", "request_line": "GET \/v1\/config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit\/537.4 (KHTML like Gecko) Chrome\/22.0.1229.79 Safari\/537.4", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/v1\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit\/537.", "attack_vector": "config file probe \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v1\/config.json", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/v1\/config.json", "request_line": "GET \/v1\/config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit\/537.4 (KHTML like Gecko) Chrome\/22.0.1229.79 Safari\/537.4", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v1\/config.json", "evidence_snippet": "GET \/v1\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit\/537.", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:54 UTC	TCP	8150 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8150 · (tentative d'exploit) · → /wp-config.php~	Élevée	Élevé · 67
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /wp-config.php~ UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950518:leak-5 http_backup_file_scan Cible HTTP GET /wp-config.php~ TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /wp-config.php~ Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 67 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0195 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /wp-config.php Ligne de requête `GET /wp-config.php~ HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 OPR/58.0.3135.107 Règles WAF rce-0 nosqli-3 leak-5 Payload (extrait) GET /wp-config.php~ HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Requête brute (extrait) GET /wp-config.php~ HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 OPR/58.0.3135.107 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "php~", "http_ua_hash": "64b9455dfe735d628cce750e68df424617391eb9", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "863c7f3ef890e19c474d54faa2637f21aa61f24b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 256, "payload_entropy": 5.470474478558111, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.6, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 67, "tag_count": 6, "anomaly_count": 0, "campaign_key": "8d396772611a34853ae25e6f5cd50296a076e9b2", "event_fingerprint": "9b680c60036e99fc465958bb01b7616147303512", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0195", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0195", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0195" ], "matched_pattern_names": [ "Probe \/wp-config.php" ], "pattern_ids": [ "pat-0195" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 67, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1aff1e9f841b5dfe178924605f88fd9c", "payload_hash": "ed108d1064cf1af09ef8e7702da2683b", "path_pattern_hash": "01859822ace956c1e8cfef788e43bcce" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 67 }, "payload_preview": "GET \/wp-config.php~ HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like", "method": "GET", "path": "\/wp-config.php~", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36 OPR\/58.0.3135.107", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-5" ], "request_line": "GET \/wp-config.php~ HTTP\/1.1", "request_sample": "GET \/wp-config.php~ HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36 OPR\/58.0.3135.107\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/wp-config.php~ HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like", "evidence": { "method": "GET", "path": "\/wp-config.php~", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36 OPR\/58.0.3135.107", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-5" ], "request_line": "GET \/wp-config.php~ HTTP\/1.1", "request_sample": "GET \/wp-config.php~ HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36 OPR\/58.0.3135.107\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/wp-config.php~ HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "44eb36d52703a65f6b55fcb6c1a77a8b6626e976", "protocol_details": { "http_method": "GET", "http_path": "\/wp-config.php~", "request_line": "GET \/wp-config.php~ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36 OPR\/58.0.3135.\u2026", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/wp-config.php~ HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like", "attack_vector": "config file probe \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wp-config.php~", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 67, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 67, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0195", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0195", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/wp-config.php~", "request_line": "GET \/wp-config.php~ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36 OPR\/58.0.3135.\u2026", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wp-config.php~", "evidence_snippet": "GET \/wp-config.php~ HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:54 UTC	TCP	8150 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8150 · (tentative d'exploit) · → /wp-config.php.old	Élevée	Critique · 91
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /wp-config.php.old UA Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11) Émulateur HTTP WAF 23 Recommandation Bloquer (recommandé) Tags 950326:rce-0 950518:leak-5 950521:leak-8 http_backup_file_scan Cible HTTP GET /wp-config.php.old TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /wp-config.php.old Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Critique · 91 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0195 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 933111 Probe /wp-config.php Ligne de requête `GET /wp-config.php.old HTTP/1.1` User-Agent Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11) Règles WAF rce-0 leak-5 leak-8 Payload (extrait) GET /wp-config.php.old HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11 Requête brute (extrait) GET /wp-config.php.old HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "old", "http_ua_hash": "e9d0567dec6e67f36347e506d447c3912ab7bda2", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "24c516a67db44cfad409a699aaddb7e13edd5983", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 198, "payload_entropy": 5.275057405221826, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 7.3, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 91, "tag_count": 8, "anomaly_count": 0, "campaign_key": "7df7f6ba32625e9f329c7245058edce6506f655a", "event_fingerprint": "a03c56e3fdda430e031852371f43d628b704be76", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0195", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0195", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0160", "pat-0195" ], "matched_pattern_names": [ "CRS 933111", "Probe \/wp-config.php" ], "pattern_ids": [ "pat-0160", "pat-0195" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 91, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "47a9c7a51a4cdc95c8753b8e179575b0", "payload_hash": "2320a2011c18ef01dea96942bad213e0", "path_pattern_hash": "5fcd528564d98f34a98115294a2df668" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 91 }, "payload_preview": "GET \/wp-config.php.old HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11", "method": "GET", "path": "\/wp-config.php.old", "user_agent": "Mozilla\/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11)", "waf_tags": [ "950326:rce-0", "950518:leak-5", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "leak-5", "leak-8" ], "request_line": "GET \/wp-config.php.old HTTP\/1.1", "request_sample": "GET \/wp-config.php.old HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/wp-config.php.old HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11", "evidence": { "method": "GET", "path": "\/wp-config.php.old", "user_agent": "Mozilla\/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11)", "waf_tags": [ "950326:rce-0", "950518:leak-5", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "leak-5", "leak-8" ], "request_line": "GET \/wp-config.php.old HTTP\/1.1", "request_sample": "GET \/wp-config.php.old HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/wp-config.php.old HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "block", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3b3beeee464ca232439ac9c906b4d0410115b5ee", "protocol_details": { "http_method": "GET", "http_path": "\/wp-config.php.old", "request_line": "GET \/wp-config.php.old HTTP\/1.1", "http_user_agent": "Mozilla\/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11)", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/wp-config.php.old HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11", "attack_vector": "config file probe \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wp-config.php.old", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 91\/100 (Critique) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 91, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 91, "risk_label": "Critique", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0195", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0195", "Upstream" ], "recommended_action": "block", "recommended_action_label": "Bloquer (recommand\u00e9)", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/wp-config.php.old", "request_line": "GET \/wp-config.php.old HTTP\/1.1", "http_user_agent": "Mozilla\/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11)", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wp-config.php.old", "evidence_snippet": "GET \/wp-config.php.old HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_block", "tags_list": [ "950326:rce-0", "950518:leak-5", "950521:leak-8", "http_backup_file_scan", "http_backup_path", "http_metasploit_ua", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:54 UTC	TCP	8150 · HTTP	http	Flood / DDoS http flood · via HTTP:8150 · (tentative d'exploit) · → /storage/logs/laravel.log	Élevée	Élevé · 66
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /storage/logs/laravel.log UA Mozilla/5.0 (X11; Linux x86_64; rv:7.0a1) Gecko/20110623 Firefo… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_sensitive_path Cible HTTP GET /storage/logs/laravel.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /storage/logs/laravel.log Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 66 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Laravel log Ligne de requête `GET /storage/logs/laravel.log HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:7.0a1) Gecko/20110623 Firefox/7.0a1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /storage/logs/laravel.log HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:7.0a1) Gecko/20110 Requête brute (extrait) GET /storage/logs/laravel.log HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:7.0a1) Gecko/20110623 Firefox/7.0a1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "log", "http_ua_hash": "f2cf947415e0bd8251985704bb970663da1b2f75", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "8fec6092b6d50f048de7f5341eb923ae4a4ab6d3", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 214, "payload_entropy": 5.305589766183791, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 66, "tag_count": 5, "anomaly_count": 0, "campaign_key": "fa61879ddc7a6d86d5a40662b1f319b65d8996f0", "event_fingerprint": "ebddadf1f0e47342be6fe15eed60cbfabb6e9264", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0124" ], "matched_pattern_names": [ "LFI Laravel log" ], "pattern_ids": [ "pat-0124" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "a69a41ab5095e3c9fb109b0603116ced", "payload_hash": "a15565599247012b2e23a83dbd9ea6a3", "path_pattern_hash": "6f29914bb94c22caf991d0657dba887c" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 66 }, "payload_preview": "GET \/storage\/logs\/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:7.0a1) Gecko\/20110", "method": "GET", "path": "\/storage\/logs\/laravel.log", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:7.0a1) Gecko\/20110623 Firefox\/7.0a1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/storage\/logs\/laravel.log HTTP\/1.1", "request_sample": "GET \/storage\/logs\/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:7.0a1) Gecko\/20110623 Firefox\/7.0a1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/storage\/logs\/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:7.0a1) Gecko\/20110", "evidence": { "method": "GET", "path": "\/storage\/logs\/laravel.log", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:7.0a1) Gecko\/20110623 Firefox\/7.0a1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/storage\/logs\/laravel.log HTTP\/1.1", "request_sample": "GET \/storage\/logs\/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:7.0a1) Gecko\/20110623 Firefox\/7.0a1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/storage\/logs\/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:7.0a1) Gecko\/20110", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0212a2fd43273367c1dca5c40083282907d058eb", "protocol_details": { "http_method": "GET", "http_path": "\/storage\/logs\/laravel.log", "request_line": "GET \/storage\/logs\/laravel.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:7.0a1) Gecko\/20110623 Firefox\/7.0a1", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/storage\/logs\/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:7.0a1) Gecko\/20110", "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/storage\/logs\/laravel.log", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 66, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/storage\/logs\/laravel.log", "request_line": "GET \/storage\/logs\/laravel.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:7.0a1) Gecko\/20110623 Firefox\/7.0a1", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/storage\/logs\/laravel.log", "evidence_snippet": "GET \/storage\/logs\/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:7.0a1) Gecko\/20110", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:54 UTC	TCP	8150 · HTTP	http	Flood / DDoS http flood · via HTTP:8150 · (tentative d'exploit) · → /core/settings.py	Élevée	Élevé · 66
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /core/settings.py UA Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, … Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_core Cible HTTP GET /core/settings.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /core/settings.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 66 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Django settings Ligne de requête `GET /core/settings.py HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /core/settings.py HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML Requête brute (extrait) GET /core/settings.py HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "py", "http_ua_hash": "4e40b754177d1f49692ed041d7676835db2f8a37", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "c07bd471de5a4ef5ce7e0f7af89cdd9467cb3bb4", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 245, "payload_entropy": 5.412029104869874, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 66, "tag_count": 5, "anomaly_count": 0, "campaign_key": "4cd689ef516024b146e2d503f5e2ab681904b177", "event_fingerprint": "21800cdf0d9860a0403d57a4099ef56ccb92feaa", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0112" ], "matched_pattern_names": [ "LFI Django settings" ], "pattern_ids": [ "pat-0112" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "7697b1a321cff681099e6e1cb67176ea", "payload_hash": "87d1c85a0fbd5b3be93c72443669593f", "path_pattern_hash": "4090a1b4b48d7fc38d1ad38e6bee359c" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 66 }, "payload_preview": "GET \/core\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML", "method": "GET", "path": "\/core\/settings.py", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/core\/settings.py HTTP\/1.1", "request_sample": "GET \/core\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/core\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML", "evidence": { "method": "GET", "path": "\/core\/settings.py", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/core\/settings.py HTTP\/1.1", "request_sample": "GET \/core\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/core\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "385a7ab70c31084c182acceb663444e7421aca7b", "protocol_details": { "http_method": "GET", "http_path": "\/core\/settings.py", "request_line": "GET \/core\/settings.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.36", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/core\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML", "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/core\/settings.py", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 66, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/core\/settings.py", "request_line": "GET \/core\/settings.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.36", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/core\/settings.py", "evidence_snippet": "GET \/core\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_core", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:54 UTC	TCP	8150 · HTTP	http	Flood / DDoS http flood · via HTTP:8150 · (tentative d'exploit) · → /app/config/config.yml	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /app/config/config.yml UA SonyEricssonK750i/R1CA Browser/SEMC-Browser/4.2 Profile/MIDP-2.… Émulateur HTTP WAF 12 Recommandation Investiguer Tags 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /app/config/config.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /app/config/config.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/config/config.yml HTTP/1.1` User-Agent SonyEricssonK750i/R1CA Browser/SEMC-Browser/4.2 Profile/MIDP-2.0 Configuration/CLDC-1.1 Règles WAF nosqli-3 Payload (extrait) GET /app/config/config.yml HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: SonyEricssonK750i/R1CA Browser/SEMC-Browser/4.2 Profile/ Requête brute (extrait) GET /app/config/config.yml HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: SonyEricssonK750i/R1CA Browser/SEMC-Browser/4.2 Profile/MIDP-2.0 Configuration/CLDC-1.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "yml", "http_ua_hash": "ed65ea7e031345677e4b0009f8b6d23d388f7f4b", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "0bba21d28f20bda74433ccee2bdac84d5c74ee34", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 228, "payload_entropy": 5.280709974544008, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 56, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.5, "risk_breakdown": { "waf": 56, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "ea4380fe99e123d1780665834579de7c892bf421", "event_fingerprint": "1b437e2022f5bfc83de4f37802967ffff9a9d4e6", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 56, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "a367fce77caed567cbc03abc059f840a", "payload_hash": "09c1d86781b75c3779060f1dafc29e86", "path_pattern_hash": "2af106832c70de3d5060ddf93222a1d3" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/app\/config\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: SonyEricssonK750i\/R1CA Browser\/SEMC-Browser\/4.2 Profile\/", "method": "GET", "path": "\/app\/config\/config.yml", "user_agent": "SonyEricssonK750i\/R1CA Browser\/SEMC-Browser\/4.2 Profile\/MIDP-2.0 Configuration\/CLDC-1.1", "waf_tags": [ "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/app\/config\/config.yml HTTP\/1.1", "request_sample": "GET \/app\/config\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: SonyEricssonK750i\/R1CA Browser\/SEMC-Browser\/4.2 Profile\/MIDP-2.0 Configuration\/CLDC-1.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/config\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: SonyEricssonK750i\/R1CA Browser\/SEMC-Browser\/4.2 Profile\/", "evidence": { "method": "GET", "path": "\/app\/config\/config.yml", "user_agent": "SonyEricssonK750i\/R1CA Browser\/SEMC-Browser\/4.2 Profile\/MIDP-2.0 Configuration\/CLDC-1.1", "waf_tags": [ "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/app\/config\/config.yml HTTP\/1.1", "request_sample": "GET \/app\/config\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: SonyEricssonK750i\/R1CA Browser\/SEMC-Browser\/4.2 Profile\/MIDP-2.0 Configuration\/CLDC-1.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/config\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: SonyEricssonK750i\/R1CA Browser\/SEMC-Browser\/4.2 Profile\/", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3ab5b0906dcb825a362ea8bc4f975ca48c657e9c", "protocol_details": { "http_method": "GET", "http_path": "\/app\/config\/config.yml", "request_line": "GET \/app\/config\/config.yml HTTP\/1.1", "http_user_agent": "SonyEricssonK750i\/R1CA Browser\/SEMC-Browser\/4.2 Profile\/MIDP-2.0 Configuration\/CLDC-1.1", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app\/config\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: SonyEricssonK750i\/R1CA Browser\/SEMC-Browser\/4.2 Profile\/", "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/config\/config.yml", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 56, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/app\/config\/config.yml", "request_line": "GET \/app\/config\/config.yml HTTP\/1.1", "http_user_agent": "SonyEricssonK750i\/R1CA Browser\/SEMC-Browser\/4.2 Profile\/MIDP-2.0 Configuration\/CLDC-1.1", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/config\/config.yml", "evidence_snippet": "GET \/app\/config\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: SonyEricssonK750i\/R1CA Browser\/SEMC-Browser\/4.2 Profile\/", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 56 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:54 UTC	TCP	8150 · HTTP	http	Flood / DDoS http flood · via HTTP:8150 · (tentative d'exploit) · → /app/config/parameters.yml	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /app/config/parameters.yml UA Mozilla/5.0 (Linux; Android 8.0.0; SM-T820) AppleWebKit/537.36 … Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /app/config/parameters.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /app/config/parameters.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/config/parameters.yml HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.0.0; SM-T820) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /app/config/parameters.yml HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-T820) AppleWeb Requête brute (extrait) GET /app/config/parameters.yml HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-T820) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clos Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "yml", "http_ua_hash": "95d63f6129759fbfd7715126f77f2d0f6a99428e", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "cc8382c07ae1d99dcd8bb8a9e6a6c1ada2d7d586", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 261, "payload_entropy": 5.406662104988766, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 65, "tag_count": 4, "anomaly_count": 0, "campaign_key": "934cfa808198138f459be647ab1957f3c134b957", "event_fingerprint": "c80e6ec7a5be271d0fbf01058904f640a2605186", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 65, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "16f8c6ef3fdeee63db1a03394fea0ccb", "payload_hash": "28a161d1def4e2df2f8cb3e9cbb37eef", "path_pattern_hash": "14e465936c1b9cf9455ba711f44752e2" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-T820) AppleWeb", "method": "GET", "path": "\/app\/config\/parameters.yml", "user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-T820) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app\/config\/parameters.yml HTTP\/1.1", "request_sample": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-T820) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-T820) AppleWeb", "evidence": { "method": "GET", "path": "\/app\/config\/parameters.yml", "user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-T820) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app\/config\/parameters.yml HTTP\/1.1", "request_sample": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-T820) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-T820) AppleWeb", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2e27cc4d568491b72e3e622ddfcac3fb37f6aaec", "protocol_details": { "http_method": "GET", "http_path": "\/app\/config\/parameters.yml", "request_line": "GET \/app\/config\/parameters.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-T820) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Safari\/537.36", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-T820) AppleWeb", "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/config\/parameters.yml", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 65, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/app\/config\/parameters.yml", "request_line": "GET \/app\/config\/parameters.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-T820) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Safari\/537.36", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/config\/parameters.yml", "evidence_snippet": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-T820) AppleWeb", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:54 UTC	TCP	8150 · HTTP	http	Flood / DDoS http flood · via HTTP:8150 · (tentative d'exploit) · → /project/settings.py	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /project/settings.py UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /project/settings.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /project/settings.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Django settings Ligne de requête `GET /project/settings.py HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /project/settings.py HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /project/settings.py HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "py", "http_ua_hash": "707595e5b17d2596b4069d19c1db431cc3ab53ed", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "11966cc72e0bfecaa733acc41e44392e18b681e0", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 243, "payload_entropy": 5.438984488208765, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 65, "tag_count": 4, "anomaly_count": 0, "campaign_key": "934cfa808198138f459be647ab1957f3c134b957", "event_fingerprint": "ab03d13198a0d3cd9c28c5a42a97ac8bf7c7d6ac", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0112" ], "matched_pattern_names": [ "LFI Django settings" ], "pattern_ids": [ "pat-0112" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 65, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "2a166a97ee449edb59848c730a11ca51", "payload_hash": "d23259864a38b350d3368af240e9ca49", "path_pattern_hash": "c29c8a7c1efc84947f863a90ed9e7db7" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/project\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "method": "GET", "path": "\/project\/settings.py", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/project\/settings.py HTTP\/1.1", "request_sample": "GET \/project\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/project\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/project\/settings.py", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/project\/settings.py HTTP\/1.1", "request_sample": "GET \/project\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/project\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2010c3e3d31e124b92149909705dff7d84937473", "protocol_details": { "http_method": "GET", "http_path": "\/project\/settings.py", "request_line": "GET \/project\/settings.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Safari\/537.36", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/project\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/project\/settings.py", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 65, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/project\/settings.py", "request_line": "GET \/project\/settings.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Safari\/537.36", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/project\/settings.py", "evidence_snippet": "GET \/project\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:54 UTC	TCP	8150 · HTTP	http	Flood / DDoS http flood · via HTTP:8150 · (tentative d'exploit) · → /app/config/parameters.yaml	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /app/config/parameters.yaml UA Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /app/config/parameters.yaml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /app/config/parameters.yaml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/config/parameters.yaml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /app/config/parameters.yaml HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKi Requête brute (extrait) GET /app/config/parameters.yaml HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "yaml", "http_ua_hash": "101f08546915744f849da0d5b99ff8b8f9b8dcb5", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "83aab3d7a9203cac49bf41e0b5a1c79c704b2790", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 260, "payload_entropy": 5.415995135089411, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 65, "tag_count": 4, "anomaly_count": 0, "campaign_key": "934cfa808198138f459be647ab1957f3c134b957", "event_fingerprint": "5eb453c14e21a7944d62335fcd641ccc2954b783", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 65, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "189c5262cf21079a4cb04660fe26305d", "payload_hash": "795c33b33e194a0e3b0be0fe1e31864b", "path_pattern_hash": "8c6e5c3e505e4438940b3e0a90e2956a" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/app\/config\/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKi", "method": "GET", "path": "\/app\/config\/parameters.yaml", "user_agent": "Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app\/config\/parameters.yaml HTTP\/1.1", "request_sample": "GET \/app\/config\/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close", "payload_snippet": "GET \/app\/config\/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKi", "evidence": { "method": "GET", "path": "\/app\/config\/parameters.yaml", "user_agent": "Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app\/config\/parameters.yaml HTTP\/1.1", "request_sample": "GET \/app\/config\/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close", "payload_snippet": "GET \/app\/config\/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKi", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "36db8a3c919bef530eb4ac717ab06c242351eca6", "protocol_details": { "http_method": "GET", "http_path": "\/app\/config\/parameters.yaml", "request_line": "GET \/app\/config\/parameters.yaml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app\/config\/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKi", "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/config\/parameters.yaml", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 65, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/app\/config\/parameters.yaml", "request_line": "GET \/app\/config\/parameters.yaml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/config\/parameters.yaml", "evidence_snippet": "GET \/app\/config\/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKi", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:54 UTC	TCP	8150 · HTTP	http	Flood / DDoS http flood · via HTTP:8150 · (tentative d'exploit) · → /.vscode/settings.json	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.vscode/settings.json UA Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /.vscode/settings.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /.vscode/settings.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.vscode/ Ligne de requête `GET /.vscode/settings.json HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.vscode/settings.json HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537 Requête brute (extrait) GET /.vscode/settings.json HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "93799164662d1c4517056c596d8144fc6b556370", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "8f13238caccb97889bb93a57a58c8206b67c85b5", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 255, "payload_entropy": 5.424162271448428, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 65, "tag_count": 4, "anomaly_count": 0, "campaign_key": "328f00c27a48e8749c9ef4d5a4ca729c78d934ab", "event_fingerprint": "796d5d279dc4d7ae161963f0d860c0335f3d40cc", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0227" ], "matched_pattern_names": [ "Probe \/.vscode\/" ], "pattern_ids": [ "pat-0227" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 65, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b4075f62679d7d497f6cecb104e09442", "payload_hash": "ab3319520b07484871957c07078f752d", "path_pattern_hash": "f5f67949e6b52d5014abefc02d1fe9f6" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/.vscode\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537", "method": "GET", "path": "\/.vscode\/settings.json", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.108 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.vscode\/settings.json HTTP\/1.1", "request_sample": "GET \/.vscode\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.108 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.vscode\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537", "evidence": { "method": "GET", "path": "\/.vscode\/settings.json", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.108 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.vscode\/settings.json HTTP\/1.1", "request_sample": "GET \/.vscode\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.108 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.vscode\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "425bd72b7c3f81f2dbf3f8f43aac1490faa275fa", "protocol_details": { "http_method": "GET", "http_path": "\/.vscode\/settings.json", "request_line": "GET \/.vscode\/settings.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.108 Safari\/537.36", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.vscode\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537", "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.vscode\/settings.json", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 65, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.vscode\/settings.json", "request_line": "GET \/.vscode\/settings.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.108 Safari\/537.36", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.vscode\/settings.json", "evidence_snippet": "GET \/.vscode\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:54 UTC	TCP	8150 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8150 · (tentative d'exploit) · → /application/config/config.php	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /application/config/config.php UA Mozilla/5.0 (Linux; Android 9; POCO F1) AppleWebKit/537.36 (KHT… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_sensitive_path Cible HTTP GET /application/config/config.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /application/config/config.php Service HTTP Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Generic config.php Ligne de requête `GET /application/config/config.php HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; POCO F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /application/config/config.php HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Linux; Android 9; POCO F1) AppleWeb Requête brute (extrait) GET /application/config/config.php HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Linux; Android 9; POCO F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connectio Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "php", "http_ua_hash": "8ac8c5939d9e2ede857965537f9fb8e850aa4856", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "ab5bb68257f1fdd1dfa4915fa7104485b044a078", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 268, "payload_entropy": 5.394460651152085, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 84, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 5, "anomaly_count": 0, "campaign_key": "7f8b217ccd674ba6517da66016800735e4064716", "event_fingerprint": "4ebf1e13fa24f4bcf99c5fed028775626f70942b", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0118" ], "matched_pattern_names": [ "LFI Generic config.php" ], "pattern_ids": [ "pat-0118" ], "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0550ff632e5e528af3eb24a9aca8de12", "payload_hash": "08ca0f22dad0f5f93a15f14bd691bc92", "path_pattern_hash": "b6440fe574333494578eac2496976a1d" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/application\/config\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; POCO F1) AppleWeb", "method": "GET", "path": "\/application\/config\/config.php", "user_agent": "Mozilla\/5.0 (Linux; Android 9; POCO F1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/application\/config\/config.php HTTP\/1.1", "request_sample": "GET \/application\/config\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; POCO F1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnectio", "payload_snippet": "GET \/application\/config\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; POCO F1) AppleWeb", "evidence": { "method": "GET", "path": "\/application\/config\/config.php", "user_agent": "Mozilla\/5.0 (Linux; Android 9; POCO F1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/application\/config\/config.php HTTP\/1.1", "request_sample": "GET \/application\/config\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; POCO F1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnectio", "payload_snippet": "GET \/application\/config\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; POCO F1) AppleWeb", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a92e4375cf415b1b3a853cd80d63f959de4708fd", "protocol_details": { "http_method": "GET", "http_path": "\/application\/config\/config.php", "request_line": "GET \/application\/config\/config.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; POCO F1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/application\/config\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; POCO F1) AppleWeb", "attack_vector": "config file probe \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/application\/config\/config.php", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/application\/config\/config.php", "request_line": "GET \/application\/config\/config.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; POCO F1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/application\/config\/config.php", "evidence_snippet": "GET \/application\/config\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; POCO F1) AppleWeb", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:54 UTC	TCP	8150 · HTTP	http	Flood / DDoS http flood · via HTTP:8150 · (tentative d'exploit) · → /.github/workflows/deploy.yml	Élevée	Élevé · 66
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.github/workflows/deploy.yml UA Mozilla/5.0 (Linux; U; Android 0.5; en-us) AppleWebKit/522 (KHT… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_sensitive_path Cible HTTP GET /.github/workflows/deploy.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /.github/workflows/deploy.yml Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 66 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.github/workflows/deploy.yml HTTP/1.1` User-Agent Mozilla/5.0 (Linux; U; Android 0.5; en-us) AppleWebKit/522 (KHTML, like Gecko) Safari/419.3 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.github/workflows/deploy.yml HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Linux; U; Android 0.5; en-us) AppleW Requête brute (extrait) GET /.github/workflows/deploy.yml HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Linux; U; Android 0.5; en-us) AppleWebKit/522 (KHTML, like Gecko) Safari/419.3 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "yml", "http_ua_hash": "4beea3a108b47fd12c809112e8eff6d015575026", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "9a980960a1dce8601282270803934f12c1e6c3d4", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 240, "payload_entropy": 5.416381645861119, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 66, "tag_count": 5, "anomaly_count": 0, "campaign_key": "657ae839512d8ffe5562eb2f05b371422e82a830", "event_fingerprint": "ec7d35e6d1e5b6b90788c6a874636377967bbfef", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6a10c6f0927842ae94147130cbaf18df", "payload_hash": "1e9a194f2076d00a47452f0950e10546", "path_pattern_hash": "76cfbca880390f07dc02774a92e03828" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 66 }, "payload_preview": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 0.5; en-us) AppleW", "method": "GET", "path": "\/.github\/workflows\/deploy.yml", "user_agent": "Mozilla\/5.0 (Linux; U; Android 0.5; en-us) AppleWebKit\/522 (KHTML, like Gecko) Safari\/419.3", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1", "request_sample": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 0.5; en-us) AppleWebKit\/522 (KHTML, like Gecko) Safari\/419.3\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 0.5; en-us) AppleW", "evidence": { "method": "GET", "path": "\/.github\/workflows\/deploy.yml", "user_agent": "Mozilla\/5.0 (Linux; U; Android 0.5; en-us) AppleWebKit\/522 (KHTML, like Gecko) Safari\/419.3", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1", "request_sample": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 0.5; en-us) AppleWebKit\/522 (KHTML, like Gecko) Safari\/419.3\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 0.5; en-us) AppleW", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "543c24f9559a98b019b259861bd4083dc12cd0c7", "protocol_details": { "http_method": "GET", "http_path": "\/.github\/workflows\/deploy.yml", "request_line": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 0.5; en-us) AppleWebKit\/522 (KHTML, like Gecko) Safari\/419.3", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 0.5; en-us) AppleW", "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.github\/workflows\/deploy.yml", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 66, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.github\/workflows\/deploy.yml", "request_line": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 0.5; en-us) AppleWebKit\/522 (KHTML, like Gecko) Safari\/419.3", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.github\/workflows\/deploy.yml", "evidence_snippet": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 0.5; en-us) AppleW", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:54 UTC	TCP	8150 · HTTP	http	Flood / DDoS http flood · via HTTP:8150 · (tentative d'exploit) · → /jenkins/Jenkinsfile	Élevée	Élevé · 66
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /jenkins/Jenkinsfile UA Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.7.3) Gecko/2004092… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_jenkins Cible HTTP GET /jenkins/Jenkinsfile TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /jenkins/Jenkinsfile Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 66 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /jenkins/Jenkinsfile HTTP/1.1` User-Agent Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.7.3) Gecko/20040924 Epiphany/1.4.4 (Ubuntu) Règles WAF rce-0 nosqli-3 Payload (extrait) GET /jenkins/Jenkinsfile HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.7.3) Gecko/20 Requête brute (extrait) GET /jenkins/Jenkinsfile HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.7.3) Gecko/20040924 Epiphany/1.4.4 (Ubuntu) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "616bca6c2b0aa8f8d45a9de706f86b703be609a0", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "171840fe47dfd6f2d76e0b80f11136ea038cbc5d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 227, "payload_entropy": 5.382182228997273, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.6, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 66, "tag_count": 6, "anomaly_count": 0, "campaign_key": "56e1df0e4edf080c7f0a76e1c2a5f2c283afb8d7", "event_fingerprint": "f045ec3aca02ddcd22e3597645a95b474df7f0bd", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "2787e25ca12e16cb50469fec88cfc9cd", "payload_hash": "034e8fe1115d514184c7be862c57adc5", "path_pattern_hash": "40125f4f361452a7111c9b4a9dc1dfb2" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 66 }, "payload_preview": "GET \/jenkins\/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i586; en-US; rv:1.7.3) Gecko\/20", "method": "GET", "path": "\/jenkins\/Jenkinsfile", "user_agent": "Mozilla\/5.0 (X11; U; Linux i586; en-US; rv:1.7.3) Gecko\/20040924 Epiphany\/1.4.4 (Ubuntu)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/jenkins\/Jenkinsfile HTTP\/1.1", "request_sample": "GET \/jenkins\/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i586; en-US; rv:1.7.3) Gecko\/20040924 Epiphany\/1.4.4 (Ubuntu)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/jenkins\/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i586; en-US; rv:1.7.3) Gecko\/20", "evidence": { "method": "GET", "path": "\/jenkins\/Jenkinsfile", "user_agent": "Mozilla\/5.0 (X11; U; Linux i586; en-US; rv:1.7.3) Gecko\/20040924 Epiphany\/1.4.4 (Ubuntu)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/jenkins\/Jenkinsfile HTTP\/1.1", "request_sample": "GET \/jenkins\/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i586; en-US; rv:1.7.3) Gecko\/20040924 Epiphany\/1.4.4 (Ubuntu)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/jenkins\/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i586; en-US; rv:1.7.3) Gecko\/20", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf2e36d638d848d28b0f20580d084c67d6010e44", "protocol_details": { "http_method": "GET", "http_path": "\/jenkins\/Jenkinsfile", "request_line": "GET \/jenkins\/Jenkinsfile HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux i586; en-US; rv:1.7.3) Gecko\/20040924 Epiphany\/1.4.4 (Ubuntu)", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/jenkins\/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i586; en-US; rv:1.7.3) Gecko\/20", "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/jenkins\/Jenkinsfile", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 66, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/jenkins\/Jenkinsfile", "request_line": "GET \/jenkins\/Jenkinsfile HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux i586; en-US; rv:1.7.3) Gecko\/20040924 Epiphany\/1.4.4 (Ubuntu)", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/jenkins\/Jenkinsfile", "evidence_snippet": "GET \/jenkins\/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i586; en-US; rv:1.7.3) Gecko\/20", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_jenkins", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:37:54 UTC	TCP	8150 · HTTP	http	Flood / DDoS http flood · via HTTP:8150 · (tentative d'exploit) · → /.idea/dataSources.xml	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.idea/dataSources.xml UA Mozilla/5.0 (Linux; Android 9; GM1917) AppleWebKit/537.36 (KHTM… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /.idea/dataSources.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8150 Chemin / cible /.idea/dataSources.xml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.idea/ Ligne de requête `GET /.idea/dataSources.xml HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; GM1917) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.idea/dataSources.xml HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Linux; Android 9; GM1917) AppleWebKit/537.3 Requête brute (extrait) GET /.idea/dataSources.xml HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Linux; Android 9; GM1917) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "xml", "http_ua_hash": "a72cb44b77f705dfad42bf99e191154153cac1f4", "http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f", "http_target_hash": "d8b4f1d4ad149f189f1e83b2ee85c58600df146c", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 260, "payload_entropy": 5.399034227462454, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8150, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 65, "tag_count": 4, "anomaly_count": 0, "campaign_key": "934cfa808198138f459be647ab1957f3c134b957", "event_fingerprint": "83f2cc8fc99fd55181ae34614db21e28498b7f8d", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0226" ], "matched_pattern_names": [ "Probe \/.idea\/" ], "pattern_ids": [ "pat-0226" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 65, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "63ccc5b3b08cee6d0ff7cd59b3427dcd", "payload_hash": "ca42968cfa1d7e08b9e4a3409e6a9619", "path_pattern_hash": "45b1a6f2cf9945ad18514ad77ffdd93e" }, "target_context": { "dst_port": 8150, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/.idea\/dataSources.xml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; GM1917) AppleWebKit\/537.3", "method": "GET", "path": "\/.idea\/dataSources.xml", "user_agent": "Mozilla\/5.0 (Linux; Android 9; GM1917) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.idea\/dataSources.xml HTTP\/1.1", "request_sample": "GET \/.idea\/dataSources.xml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; GM1917) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close", "payload_snippet": "GET \/.idea\/dataSources.xml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; GM1917) AppleWebKit\/537.3", "evidence": { "method": "GET", "path": "\/.idea\/dataSources.xml", "user_agent": "Mozilla\/5.0 (Linux; Android 9; GM1917) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.idea\/dataSources.xml HTTP\/1.1", "request_sample": "GET \/.idea\/dataSources.xml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; GM1917) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close", "payload_snippet": "GET \/.idea\/dataSources.xml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; GM1917) AppleWebKit\/537.3", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b4bd7fc95268aeb82025a41c9e88ae3a2f35861d", "protocol_details": { "http_method": "GET", "http_path": "\/.idea\/dataSources.xml", "request_line": "GET \/.idea\/dataSources.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; GM1917) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.idea\/dataSources.xml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; GM1917) AppleWebKit\/537.3", "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.idea\/dataSources.xml", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 65, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8150, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.idea\/dataSources.xml", "request_line": "GET \/.idea\/dataSources.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; GM1917) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "port": 8150, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8150 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.idea\/dataSources.xml", "evidence_snippet": "GET \/.idea\/dataSources.xml HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; GM1917) AppleWebKit\/537.3", "target_port_label": "8150 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8150" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }

34.101.59.109

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence