15/06/2026 21:08:47 UTC
TCP
7002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:7002 · (tentative d'exploit) · → /.git/config
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /.git/config UA Opera/9.20 (Macintosh; Intel Mac OS X; U; en)
Émulateur
HTTP
WAF
21
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950513:leak-0
http_backup_file_scan
Cible HTTP
GET
/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
7002
Chemin / cible
/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
pat-0198
Upstream
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
Probe /.git/config
Ligne de requête
GET /.git/config HTTP/1.1
User-Agent
Opera/9.20 (Macintosh; Intel Mac OS X; U; en)
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /.git/config HTTP/1.1
Host: 62.3.50.33:7002
User-Agent: Opera/9.20 (Macintosh; Intel Mac OS X; U; en)
Accept-Charset: utf
Requête brute (extrait)
GET /.git/config HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Opera/9.20 (Macintosh; Intel Mac OS X; U; en) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "git\/config",
"http_ua_hash": "963772bc47a3191abae054027ab3cf3bd312afb4",
"http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff",
"http_target_hash": "e2f253eab0d0cf5422d24d22ae2a4954398768df",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 176,
"payload_entropy": 5.167315271805789,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 92,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.1,
"risk_breakdown": {
"waf": 92,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 68,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "f3f2fca423cdeec7d198b1f15393ca2a661efbad",
"event_fingerprint": "ee5a4ae4ac3d1de3ec9ef27fd34f8a890d348beb",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 270,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"pat-0198",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"pat-0198",
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0198"
],
"matched_pattern_names": [
"Probe \/.git\/config"
],
"pattern_ids": [
"pat-0198"
],
"confidence_breakdown": {
"waf": 92,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "568f244f4952b5686c6503e1501b5e39",
"payload_hash": "85c64e8c554c6c6ed80011fd9b2aa6e0",
"path_pattern_hash": "3ec26e4f0817b37785cd5e68fed88892"
},
"target_context": {
"dst_port": 7002,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Opera\/9.20 (Macintosh; Intel Mac OS X; U; en)\r\nAccept-Charset: utf",
"method": "GET",
"path": "\/.git\/config",
"user_agent": "Opera\/9.20 (Macintosh; Intel Mac OS X; U; en)",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/.git\/config HTTP\/1.1",
"request_sample": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Opera\/9.20 (Macintosh; Intel Mac OS X; U; en)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Opera\/9.20 (Macintosh; Intel Mac OS X; U; en)\r\nAccept-Charset: utf",
"evidence": {
"method": "GET",
"path": "\/.git\/config",
"user_agent": "Opera\/9.20 (Macintosh; Intel Mac OS X; U; en)",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/.git\/config HTTP\/1.1",
"request_sample": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Opera\/9.20 (Macintosh; Intel Mac OS X; U; en)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Opera\/9.20 (Macintosh; Intel Mac OS X; U; en)\r\nAccept-Charset: utf",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "85146a0166952448803c1a74e949283d332e34c0",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.git\/config",
"request_line": "GET \/.git\/config HTTP\/1.1",
"http_user_agent": "Opera\/9.20 (Macintosh; Intel Mac OS X; U; en)",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Opera\/9.20 (Macintosh; Intel Mac OS X; U; en)\r\nAccept-Charset: utf",
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.git\/config",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 92,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"pat-0198",
"INT-upstream"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"pat-0198",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.git\/config",
"request_line": "GET \/.git\/config HTTP\/1.1",
"http_user_agent": "Opera\/9.20 (Macintosh; Intel Mac OS X; U; en)",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.git\/config",
"evidence_snippet": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Opera\/9.20 (Macintosh; Intel Mac OS X; U; en)\r\nAccept-Charset: utf",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"weblogic-ssl"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_probe_git",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:47 UTC
TCP
7002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:7002 · (tentative d'exploit) · → /app/.git/config
Élevée
Élevé · 70
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /app/.git/config UA Opera/9.64 (X11; Linux i686; U; Linux Mint; nb) Presto/2.1.1
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/app/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
7002
Chemin / cible
/app/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 70
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /app/.git/config HTTP/1.1
User-Agent
Opera/9.64 (X11; Linux i686; U; Linux Mint; nb) Presto/2.1.1
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /app/.git/config HTTP/1.1
Host: 62.3.50.33:7002
User-Agent: Opera/9.64 (X11; Linux i686; U; Linux Mint; nb) Presto/2.1.1
Requête brute (extrait)
GET /app/.git/config HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Opera/9.64 (X11; Linux i686; U; Linux Mint; nb) Presto/2.1.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "b56fac76b098681295c34cc06db8abfc5a5089b3",
"http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff",
"http_target_hash": "c0d576333b61f38bb5785040d2824435407a4c84",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 195,
"payload_entropy": 5.235883726270085,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.1,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 70,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "d35979a4f83294db537bad1f5a93ab6479babcb4",
"event_fingerprint": "3694a06c0b4aeafa2141df389d374d8dafaa1c26",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "b67ff68bef65f1c3cc0268ed830dd905",
"payload_hash": "0ee6f6137d37617cb454b7fc4d8502f4",
"path_pattern_hash": "87d63e686c8d80bd28afc993649c7598"
},
"target_context": {
"dst_port": 7002,
"service": "http",
"service_name": "http",
"risk_score": 70
},
"payload_preview": "GET \/app\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Opera\/9.64 (X11; Linux i686; U; Linux Mint; nb) Presto\/2.1.1\r\n",
"method": "GET",
"path": "\/app\/.git\/config",
"user_agent": "Opera\/9.64 (X11; Linux i686; U; Linux Mint; nb) Presto\/2.1.1",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/app\/.git\/config HTTP\/1.1",
"request_sample": "GET \/app\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Opera\/9.64 (X11; Linux i686; U; Linux Mint; nb) Presto\/2.1.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/app\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Opera\/9.64 (X11; Linux i686; U; Linux Mint; nb) Presto\/2.1.1",
"evidence": {
"method": "GET",
"path": "\/app\/.git\/config",
"user_agent": "Opera\/9.64 (X11; Linux i686; U; Linux Mint; nb) Presto\/2.1.1",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/app\/.git\/config HTTP\/1.1",
"request_sample": "GET \/app\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Opera\/9.64 (X11; Linux i686; U; Linux Mint; nb) Presto\/2.1.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/app\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Opera\/9.64 (X11; Linux i686; U; Linux Mint; nb) Presto\/2.1.1",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "53f080a5f16d96f9b695b7eebd0b346555f1f73a",
"protocol_details": {
"http_method": "GET",
"http_path": "\/app\/.git\/config",
"request_line": "GET \/app\/.git\/config HTTP\/1.1",
"http_user_agent": "Opera\/9.64 (X11; Linux i686; U; Linux Mint; nb) Presto\/2.1.1",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/app\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Opera\/9.64 (X11; Linux i686; U; Linux Mint; nb) Presto\/2.1.1",
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.git\/config",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 70,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/app\/.git\/config",
"request_line": "GET \/app\/.git\/config HTTP\/1.1",
"http_user_agent": "Opera\/9.64 (X11; Linux i686; U; Linux Mint; nb) Presto\/2.1.1",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.git\/config",
"evidence_snippet": "GET \/app\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Opera\/9.64 (X11; Linux i686; U; Linux Mint; nb) Presto\/2.1.1",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"weblogic-ssl"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:47 UTC
TCP
7002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:7002 · (tentative d'exploit) · → /frontend/.git/config
Élevée
Élevé · 70
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /frontend/.git/config UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/frontend/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
7002
Chemin / cible
/frontend/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 70
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /frontend/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3844.0 Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /frontend/.git/config HTTP/1.1
Host: 62.3.50.33:7002
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebK
Requête brute (extrait)
GET /frontend/.git/config HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3844.0 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "9e309b985c3d5172bc5099e55b13770629bc2cc6",
"http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff",
"http_target_hash": "79637aca3de7d81f8030ec893ab364d04845083c",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 259,
"payload_entropy": 5.387391513173691,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.1,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 70,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "d35979a4f83294db537bad1f5a93ab6479babcb4",
"event_fingerprint": "acd8f9dd26e156d5a209b507549e4eea132070ac",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c74946b2a4c63b28c43fed81008d84ef",
"payload_hash": "02b119ecdbe54dd1f1d88a4df675a1bd",
"path_pattern_hash": "916bc8abf1fa018cce797ab5bdb418f0"
},
"target_context": {
"dst_port": 7002,
"service": "http",
"service_name": "http",
"risk_score": 70
},
"payload_preview": "GET \/frontend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebK",
"method": "GET",
"path": "\/frontend\/.git\/config",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3844.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/frontend\/.git\/config HTTP\/1.1",
"request_sample": "GET \/frontend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3844.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r",
"payload_snippet": "GET \/frontend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebK",
"evidence": {
"method": "GET",
"path": "\/frontend\/.git\/config",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3844.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/frontend\/.git\/config HTTP\/1.1",
"request_sample": "GET \/frontend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3844.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r",
"payload_snippet": "GET \/frontend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebK",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "738617200a428fba6233793efb150207b518bd1d",
"protocol_details": {
"http_method": "GET",
"http_path": "\/frontend\/.git\/config",
"request_line": "GET \/frontend\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3844.0 Safari\/537.36",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/frontend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebK",
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/frontend\/.git\/config",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 70,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/frontend\/.git\/config",
"request_line": "GET \/frontend\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3844.0 Safari\/537.36",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/frontend\/.git\/config",
"evidence_snippet": "GET \/frontend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebK",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"weblogic-ssl"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:47 UTC
TCP
7002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:7002 · (tentative d'exploit) · → /v1/.git/config
Élevée
Élevé · 70
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /v1/.git/config UA Opera/9.0 (Macintosh; PPC Mac OS X; U; en)
Émulateur
HTTP
WAF
29
Recommandation
Investiguer
Tags
950316:lfi-14
950326:rce-0
950468:nosqli-3
950513:leak-0
Cible HTTP
GET
/v1/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
7002
Chemin / cible
/v1/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 70
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /v1/.git/config HTTP/1.1
User-Agent
Opera/9.0 (Macintosh; PPC Mac OS X; U; en)
Règles WAF
lfi-14
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /v1/.git/config HTTP/1.1
Host: 62.3.50.33:7002
User-Agent: Opera/9.0 (Macintosh; PPC Mac OS X; U; en)
Accept-Charset: utf
Requête brute (extrait)
GET /v1/.git/config HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Opera/9.0 (Macintosh; PPC Mac OS X; U; en) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "e575d7aa2ac35e075bf4b96060bac58120d23b4b",
"http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff",
"http_target_hash": "852e68c3e2549d34d36a9b5a3605571990e68c97",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 176,
"payload_entropy": 5.195442841856441,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.1,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 70,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "3c178e04fd84f25a20399576a84793a3f58fb382",
"event_fingerprint": "5c1d361e85e580c501b54f4d99de5b577f979c81",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "fda3391fb34477b3131030286480ffa6",
"payload_hash": "5185ef40436c4d0ec2bb2f7459df8841",
"path_pattern_hash": "0efea7c22b821f254abb056b9239c5c5"
},
"target_context": {
"dst_port": 7002,
"service": "http",
"service_name": "http",
"risk_score": 70
},
"payload_preview": "GET \/v1\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Opera\/9.0 (Macintosh; PPC Mac OS X; U; en)\r\nAccept-Charset: utf",
"method": "GET",
"path": "\/v1\/.git\/config",
"user_agent": "Opera\/9.0 (Macintosh; PPC Mac OS X; U; en)",
"waf_tags": [
"950316:lfi-14",
"950326:rce-0",
"950468:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/v1\/.git\/config HTTP\/1.1",
"request_sample": "GET \/v1\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Opera\/9.0 (Macintosh; PPC Mac OS X; U; en)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/v1\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Opera\/9.0 (Macintosh; PPC Mac OS X; U; en)\r\nAccept-Charset: utf",
"evidence": {
"method": "GET",
"path": "\/v1\/.git\/config",
"user_agent": "Opera\/9.0 (Macintosh; PPC Mac OS X; U; en)",
"waf_tags": [
"950316:lfi-14",
"950326:rce-0",
"950468:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/v1\/.git\/config HTTP\/1.1",
"request_sample": "GET \/v1\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Opera\/9.0 (Macintosh; PPC Mac OS X; U; en)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/v1\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Opera\/9.0 (Macintosh; PPC Mac OS X; U; en)\r\nAccept-Charset: utf",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6374a64c9c8732b595627c15f1e4502aee983710",
"protocol_details": {
"http_method": "GET",
"http_path": "\/v1\/.git\/config",
"request_line": "GET \/v1\/.git\/config HTTP\/1.1",
"http_user_agent": "Opera\/9.0 (Macintosh; PPC Mac OS X; U; en)",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/v1\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Opera\/9.0 (Macintosh; PPC Mac OS X; U; en)\r\nAccept-Charset: utf",
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v1\/.git\/config",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 70,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/v1\/.git\/config",
"request_line": "GET \/v1\/.git\/config HTTP\/1.1",
"http_user_agent": "Opera\/9.0 (Macintosh; PPC Mac OS X; U; en)",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v1\/.git\/config",
"evidence_snippet": "GET \/v1\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Opera\/9.0 (Macintosh; PPC Mac OS X; U; en)\r\nAccept-Charset: utf",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"weblogic-ssl"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950316:lfi-14",
"950326:rce-0",
"950468:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:47 UTC
TCP
7002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:7002 · (tentative d'exploit) · → /src/.git/config
Élevée
Élevé · 67
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /src/.git/config UA Peach/1.01 (Ubuntu 8.04 LTS; U; en)
Émulateur
HTTP
WAF
21
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950513:leak-0
http_backup_file_scan
Cible HTTP
GET
/src/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
7002
Chemin / cible
/src/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 67
Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /src/.git/config HTTP/1.1
User-Agent
Peach/1.01 (Ubuntu 8.04 LTS; U; en)
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /src/.git/config HTTP/1.1
Host: 62.3.50.33:7002
User-Agent: Peach/1.01 (Ubuntu 8.04 LTS; U; en)
Accept-Charset: utf-8
Ac
Requête brute (extrait)
GET /src/.git/config HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Peach/1.01 (Ubuntu 8.04 LTS; U; en) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "836963936783bc0dc62d06ec9e6d99627f8faf6d",
"http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff",
"http_target_hash": "46e050e820087702ef14a381ebad48881db62e31",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 170,
"payload_entropy": 5.160106602293591,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 92,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6.8,
"risk_breakdown": {
"waf": 92,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 67,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "16b9577e8f34a65990290e0c299b56171242790a",
"event_fingerprint": "967085f039a82cd803eb1a4f478bc76a28fdc700",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 92,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 67,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "e6697ce425fde92b944fdb460afd336d",
"payload_hash": "1e1a0f2c1ae2b050bcb0dbc6f10b8f57",
"path_pattern_hash": "83762003e224a5603ed7ad8ff32c59fc"
},
"target_context": {
"dst_port": 7002,
"service": "http",
"service_name": "http",
"risk_score": 67
},
"payload_preview": "GET \/src\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Peach\/1.01 (Ubuntu 8.04 LTS; U; en)\r\nAccept-Charset: utf-8\r\nAc",
"method": "GET",
"path": "\/src\/.git\/config",
"user_agent": "Peach\/1.01 (Ubuntu 8.04 LTS; U; en)",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/src\/.git\/config HTTP\/1.1",
"request_sample": "GET \/src\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Peach\/1.01 (Ubuntu 8.04 LTS; U; en)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/src\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Peach\/1.01 (Ubuntu 8.04 LTS; U; en)\r\nAccept-Charset: utf-8\r\nAc",
"evidence": {
"method": "GET",
"path": "\/src\/.git\/config",
"user_agent": "Peach\/1.01 (Ubuntu 8.04 LTS; U; en)",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/src\/.git\/config HTTP\/1.1",
"request_sample": "GET \/src\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Peach\/1.01 (Ubuntu 8.04 LTS; U; en)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/src\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Peach\/1.01 (Ubuntu 8.04 LTS; U; en)\r\nAccept-Charset: utf-8\r\nAc",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "1d4cea8ba24d46a50c5777e79fd9ec04270668ec",
"protocol_details": {
"http_method": "GET",
"http_path": "\/src\/.git\/config",
"request_line": "GET \/src\/.git\/config HTTP\/1.1",
"http_user_agent": "Peach\/1.01 (Ubuntu 8.04 LTS; U; en)",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/src\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Peach\/1.01 (Ubuntu 8.04 LTS; U; en)\r\nAccept-Charset: utf-8\r\nAc",
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/src\/.git\/config",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 92,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 67,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 67,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/src\/.git\/config",
"request_line": "GET \/src\/.git\/config HTTP\/1.1",
"http_user_agent": "Peach\/1.01 (Ubuntu 8.04 LTS; U; en)",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/src\/.git\/config",
"evidence_snippet": "GET \/src\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Peach\/1.01 (Ubuntu 8.04 LTS; U; en)\r\nAccept-Charset: utf-8\r\nAc",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"weblogic-ssl"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:47 UTC
TCP
7002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:7002 · (tentative d'exploit) · → /api/.git/config
Élevée
Moyen · 64
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /api/.git/config UA Facebot
Émulateur
HTTP
WAF
18
Recommandation
Investiguer
Tags
950468:nosqli-3
950513:leak-0
950600:k8s-api
http_backup_file_scan
Cible HTTP
GET
/api/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
7002
Chemin / cible
/api/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « nosqli-3 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Moyen
· 64
Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /api/.git/config HTTP/1.1
User-Agent
Facebot
Règles WAF
nosqli-3
leak-0
k8s-api
Payload (extrait)
GET /api/.git/config HTTP/1.1
Host: 62.3.50.33:7002
User-Agent: Facebot
Accept-Charset: utf-8
Accept-Encoding: gzip
Connect
Requête brute (extrait)
GET /api/.git/config HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Facebot Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "92ed14d5d00b55392a2f8df53821162b8ed3f3e9",
"http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff",
"http_target_hash": "4d60538c38eae0fe13cbc99a2ea3645cbb337669",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 142,
"payload_entropy": 5.013625001431989,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 80,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.1,
"risk_breakdown": {
"waf": 80,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 64,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "452e0df628ee1210b583143b438da57f306ee7c3",
"event_fingerprint": "24188c33fc640e04762b936a7037682ddc1f516a",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 80,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 64,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f4b7f272837f997f1687f3c2d0cbaa17",
"payload_hash": "598d87e392ffafc8dcebe28e7111eb84",
"path_pattern_hash": "3ed56f63a5d3aef03e8853abb49b3eea"
},
"target_context": {
"dst_port": 7002,
"service": "http",
"service_name": "http",
"risk_score": 64
},
"payload_preview": "GET \/api\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Facebot\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnect",
"method": "GET",
"path": "\/api\/.git\/config",
"user_agent": "Facebot",
"waf_tags": [
"950468:nosqli-3",
"950513:leak-0",
"950600:k8s-api"
],
"waf_rule_names": [
"nosqli-3",
"leak-0",
"k8s-api"
],
"request_line": "GET \/api\/.git\/config HTTP\/1.1",
"request_sample": "GET \/api\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Facebot\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/api\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Facebot\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnect",
"evidence": {
"method": "GET",
"path": "\/api\/.git\/config",
"user_agent": "Facebot",
"waf_tags": [
"950468:nosqli-3",
"950513:leak-0",
"950600:k8s-api"
],
"waf_rule_names": [
"nosqli-3",
"leak-0",
"k8s-api"
],
"request_line": "GET \/api\/.git\/config HTTP\/1.1",
"request_sample": "GET \/api\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Facebot\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/api\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Facebot\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnect",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "bb8299d796d7f367439de3548e749d50ca7ab756",
"protocol_details": {
"http_method": "GET",
"http_path": "\/api\/.git\/config",
"request_line": "GET \/api\/.git\/config HTTP\/1.1",
"http_user_agent": "Facebot",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/api\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Facebot\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnect",
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.git\/config",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 80,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 64,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 64,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/api\/.git\/config",
"request_line": "GET \/api\/.git\/config HTTP\/1.1",
"http_user_agent": "Facebot",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.git\/config",
"evidence_snippet": "GET \/api\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Facebot\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnect",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 80 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"weblogic-ssl"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950468:nosqli-3",
"950513:leak-0",
"950600:k8s-api",
"http_backup_file_scan",
"http_git_exposure",
"http_probe_api",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:47 UTC
TCP
7002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:7002 · (tentative d'exploit) · → /backend/.git/config
Élevée
Élevé · 70
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /backend/.git/config UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like …
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/backend/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
7002
Chemin / cible
/backend/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 70
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /backend/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) QupZilla/1.9.0 Safari/538.1
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /backend/.git/config HTTP/1.1
Host: 62.3.50.33:7002
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML,
Requête brute (extrait)
GET /backend/.git/config HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) QupZilla/1.9.0 Safari/538.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "2fff47b89b804d57e237417b47cf0728cfe82bec",
"http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff",
"http_target_hash": "2482ac6c987d570b89dfba6cfee3dc3ac194789d",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 236,
"payload_entropy": 5.4289819518861675,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.1,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 70,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "d35979a4f83294db537bad1f5a93ab6479babcb4",
"event_fingerprint": "ab1cf8d3573bb65c460ec895b9c4b8fe692a4a94",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "bbd0cd45adec936fb82ea5f5d5f91839",
"payload_hash": "a5b5b7b58b93941bcaa18193bff29830",
"path_pattern_hash": "2de751ea5a34e7a22b69004dc29faa62"
},
"target_context": {
"dst_port": 7002,
"service": "http",
"service_name": "http",
"risk_score": 70
},
"payload_preview": "GET \/backend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/538.1 (KHTML, ",
"method": "GET",
"path": "\/backend\/.git\/config",
"user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/538.1 (KHTML, like Gecko) QupZilla\/1.9.0 Safari\/538.1",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/backend\/.git\/config HTTP\/1.1",
"request_sample": "GET \/backend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/538.1 (KHTML, like Gecko) QupZilla\/1.9.0 Safari\/538.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/backend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/538.1 (KHTML,",
"evidence": {
"method": "GET",
"path": "\/backend\/.git\/config",
"user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/538.1 (KHTML, like Gecko) QupZilla\/1.9.0 Safari\/538.1",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/backend\/.git\/config HTTP\/1.1",
"request_sample": "GET \/backend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/538.1 (KHTML, like Gecko) QupZilla\/1.9.0 Safari\/538.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/backend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/538.1 (KHTML,",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "2cf9a8d7e89c1ed47ad1b5bd6895ef98908a2fe5",
"protocol_details": {
"http_method": "GET",
"http_path": "\/backend\/.git\/config",
"request_line": "GET \/backend\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/538.1 (KHTML, like Gecko) QupZilla\/1.9.0 Safari\/538.1",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/backend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/538.1 (KHTML,",
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.git\/config",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 70,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/backend\/.git\/config",
"request_line": "GET \/backend\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/538.1 (KHTML, like Gecko) QupZilla\/1.9.0 Safari\/538.1",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.git\/config",
"evidence_snippet": "GET \/backend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/538.1 (KHTML,",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"weblogic-ssl"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:47 UTC
TCP
7002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:7002 · (tentative d'exploit) · → /v2/.git/config
Élevée
Élevé · 71
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /v2/.git/config UA Mozilla/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit/53…
Émulateur
HTTP
WAF
35
Recommandation
Investiguer
Tags
950316:lfi-14
950326:rce-0
950468:nosqli-3
950470:nosqli-3
Cible HTTP
GET
/v2/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
7002
Chemin / cible
/v2/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 71
Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /v2/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36
Règles WAF
lfi-14
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /v2/.git/config HTTP/1.1
Host: 62.3.50.33:7002
User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit/53
Requête brute (extrait)
GET /v2/.git/config HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: cl
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "67cd2aa88754575f856c2edf38d4b5159963a959",
"http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff",
"http_target_hash": "3a5f2466c34928bb38a61b739c70bfc69a077a30",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 263,
"payload_entropy": 5.399518877086195,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.3,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 71,
"tag_count": 9,
"anomaly_count": 0,
"campaign_key": "903af21de95b930e7630e0f7dcfb8bf508fbc891",
"event_fingerprint": "75ac7bac7ca29fea64c64e9a3f4318e40198854e",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 71,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "57322d07efe3c4afc6e4b5dae3823bbb",
"payload_hash": "86231ec57d2fc2d7f48001f259fffe99",
"path_pattern_hash": "fcafe4006602b874bcf9d18118e88566"
},
"target_context": {
"dst_port": 7002,
"service": "http",
"service_name": "http",
"risk_score": 71
},
"payload_preview": "GET \/v2\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/53",
"method": "GET",
"path": "\/v2\/.git\/config",
"user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36",
"waf_tags": [
"950316:lfi-14",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/v2\/.git\/config HTTP\/1.1",
"request_sample": "GET \/v2\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl",
"payload_snippet": "GET \/v2\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/53",
"evidence": {
"method": "GET",
"path": "\/v2\/.git\/config",
"user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36",
"waf_tags": [
"950316:lfi-14",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/v2\/.git\/config HTTP\/1.1",
"request_sample": "GET \/v2\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl",
"payload_snippet": "GET \/v2\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/53",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "66f34242622ec2d7b8096fb235fff4f709f26143",
"protocol_details": {
"http_method": "GET",
"http_path": "\/v2\/.git\/config",
"request_line": "GET \/v2\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Saf\u2026",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/v2\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/53",
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v2\/.git\/config",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 71,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 71,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/v2\/.git\/config",
"request_line": "GET \/v2\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Saf\u2026",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v2\/.git\/config",
"evidence_snippet": "GET \/v2\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/53",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"weblogic-ssl"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950316:lfi-14",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:47 UTC
TCP
7002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:7002 · (tentative d'exploit) · → /web/.git/config
Élevée
Élevé · 66
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /web/.git/config UA Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Ge…
Émulateur
HTTP
WAF
20
Recommandation
Investiguer
Tags
950468:nosqli-3
950470:nosqli-3
950513:leak-0
http_backup_file_scan
Cible HTTP
GET
/web/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
7002
Chemin / cible
/web/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « nosqli-3 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 66
Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /web/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 YaBrowser/17.3.0.1785 Yowser/2.5 Safari/537.36
Règles WAF
nosqli-3
leak-0
Payload (extrait)
GET /web/.git/config HTTP/1.1
Host: 62.3.50.33:7002
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like G
Requête brute (extrait)
GET /web/.git/config HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 YaBrowser/17.3.0.1785 Yowser/2.5 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connecti
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "22a358cccea2daf46b8f0e0a52733ee09291d8ab",
"http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff",
"http_target_hash": "f32c2ab0d87a20f2415a1cf44997c48739d87917",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 269,
"payload_entropy": 5.396365459014772,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 88,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6.8,
"risk_breakdown": {
"waf": 88,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 66,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e24e67986d800f96a9f8e38c08d1110fe0ed0a31",
"event_fingerprint": "c343c9604689e27c4d04dc4b29c6d8b0287384be",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 88,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 66,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "5df81b5f983af6e14df6d7ffadcccd84",
"payload_hash": "d0c905857d5a0d7996da40520ffd84c7",
"path_pattern_hash": "2be87edfa036da6580e700b188114b92"
},
"target_context": {
"dst_port": 7002,
"service": "http",
"service_name": "http",
"risk_score": 66
},
"payload_preview": "GET \/web\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like G",
"method": "GET",
"path": "\/web\/.git\/config",
"user_agent": "Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/56.0.2924.87 YaBrowser\/17.3.0.1785 Yowser\/2.5 Safari\/537.36",
"waf_tags": [
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"nosqli-3",
"leak-0"
],
"request_line": "GET \/web\/.git\/config HTTP\/1.1",
"request_sample": "GET \/web\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/56.0.2924.87 YaBrowser\/17.3.0.1785 Yowser\/2.5 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti",
"payload_snippet": "GET \/web\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like G",
"evidence": {
"method": "GET",
"path": "\/web\/.git\/config",
"user_agent": "Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/56.0.2924.87 YaBrowser\/17.3.0.1785 Yowser\/2.5 Safari\/537.36",
"waf_tags": [
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"nosqli-3",
"leak-0"
],
"request_line": "GET \/web\/.git\/config HTTP\/1.1",
"request_sample": "GET \/web\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/56.0.2924.87 YaBrowser\/17.3.0.1785 Yowser\/2.5 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti",
"payload_snippet": "GET \/web\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like G",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "dabc76d83e8c110f462fedd07e661d2426cec68b",
"protocol_details": {
"http_method": "GET",
"http_path": "\/web\/.git\/config",
"request_line": "GET \/web\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/56.0.2924.87 YaBrowser\/17.3.0.1785 Yowser\/2.\u2026",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/web\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like G",
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/web\/.git\/config",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 88,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 66,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 66,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/web\/.git\/config",
"request_line": "GET \/web\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/56.0.2924.87 YaBrowser\/17.3.0.1785 Yowser\/2.\u2026",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/web\/.git\/config",
"evidence_snippet": "GET \/web\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like G",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 88 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"weblogic-ssl"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:47 UTC
TCP
7002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:7002 · (tentative d'exploit) · → /www/.git/config
Élevée
Élevé · 70
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /www/.git/config UA Mozilla/5.0 (Windows NT 5.2; rv:10.0.1) Gecko/20100101 Firefox/…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/www/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
7002
Chemin / cible
/www/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 70
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /www/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 5.2; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 SeaMonkey/2.7.1
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /www/.git/config HTTP/1.1
Host: 62.3.50.33:7002
User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:10.0.1) Gecko/20100101 Firefox
Requête brute (extrait)
GET /www/.git/config HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 SeaMonkey/2.7.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "d5494fe16df11ab5f5d2c945da5478c2861a6327",
"http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff",
"http_target_hash": "7b5c6d1b9506a8d5fe958dbcf1ffdcdd61f34f9e",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 220,
"payload_entropy": 5.236444944707318,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.1,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 70,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "d35979a4f83294db537bad1f5a93ab6479babcb4",
"event_fingerprint": "cbc309f0f385969b882f65c68303d7c064c19fc7",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "75c159c7e8d01603c84d35f769c53185",
"payload_hash": "69717a21d49a04f73b7cd055c5400369",
"path_pattern_hash": "2067f182832f5bbc5f3205656471af53"
},
"target_context": {
"dst_port": 7002,
"service": "http",
"service_name": "http",
"risk_score": 70
},
"payload_preview": "GET \/www\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.2; rv:10.0.1) Gecko\/20100101 Firefox",
"method": "GET",
"path": "\/www\/.git\/config",
"user_agent": "Mozilla\/5.0 (Windows NT 5.2; rv:10.0.1) Gecko\/20100101 Firefox\/10.0.1 SeaMonkey\/2.7.1",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/www\/.git\/config HTTP\/1.1",
"request_sample": "GET \/www\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.2; rv:10.0.1) Gecko\/20100101 Firefox\/10.0.1 SeaMonkey\/2.7.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/www\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.2; rv:10.0.1) Gecko\/20100101 Firefox",
"evidence": {
"method": "GET",
"path": "\/www\/.git\/config",
"user_agent": "Mozilla\/5.0 (Windows NT 5.2; rv:10.0.1) Gecko\/20100101 Firefox\/10.0.1 SeaMonkey\/2.7.1",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/www\/.git\/config HTTP\/1.1",
"request_sample": "GET \/www\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.2; rv:10.0.1) Gecko\/20100101 Firefox\/10.0.1 SeaMonkey\/2.7.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/www\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.2; rv:10.0.1) Gecko\/20100101 Firefox",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "95cb6923631bc329fa6721d9b8ff21d729a7c2c3",
"protocol_details": {
"http_method": "GET",
"http_path": "\/www\/.git\/config",
"request_line": "GET \/www\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 5.2; rv:10.0.1) Gecko\/20100101 Firefox\/10.0.1 SeaMonkey\/2.7.1",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/www\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.2; rv:10.0.1) Gecko\/20100101 Firefox",
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/www\/.git\/config",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 70,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/www\/.git\/config",
"request_line": "GET \/www\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 5.2; rv:10.0.1) Gecko\/20100101 Firefox\/10.0.1 SeaMonkey\/2.7.1",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/www\/.git\/config",
"evidence_snippet": "GET \/www\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.2; rv:10.0.1) Gecko\/20100101 Firefox",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"weblogic-ssl"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:47 UTC
TCP
7002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:7002 · (tentative d'exploit) · → /v3/.git/config
Élevée
Élevé · 71
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /v3/.git/config UA Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,…
Émulateur
HTTP
WAF
35
Recommandation
Investiguer
Tags
950316:lfi-14
950326:rce-0
950468:nosqli-3
950470:nosqli-3
Cible HTTP
GET
/v3/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
7002
Chemin / cible
/v3/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 71
Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /v3/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.122 Safari/537.36 Vivaldi/2.3.1440.61
Règles WAF
lfi-14
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /v3/.git/config HTTP/1.1
Host: 62.3.50.33:7002
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,
Requête brute (extrait)
GET /v3/.git/config HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.122 Safari/537.36 Vivaldi/2.3.1440.61 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: c
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "c1c1bde123fbda9b83f4d6156cd3b28c2797d20e",
"http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff",
"http_target_hash": "4bf76a52a29633f52f17f2cac5ee4daa8e021adb",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 264,
"payload_entropy": 5.41300946546572,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.3,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 71,
"tag_count": 9,
"anomaly_count": 0,
"campaign_key": "903af21de95b930e7630e0f7dcfb8bf508fbc891",
"event_fingerprint": "61c3098768151fc66230a9112ce2d38ecbde91ac",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 71,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "65a9a2f402a488c7f9c458cde878f2c7",
"payload_hash": "2f55269cf6b11d5f16a831cf821c7d05",
"path_pattern_hash": "4562786c79a4c5f0790c3581071f5847"
},
"target_context": {
"dst_port": 7002,
"service": "http",
"service_name": "http",
"risk_score": 71
},
"payload_preview": "GET \/v3\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,",
"method": "GET",
"path": "\/v3\/.git\/config",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.122 Safari\/537.36 Vivaldi\/2.3.1440.61",
"waf_tags": [
"950316:lfi-14",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/v3\/.git\/config HTTP\/1.1",
"request_sample": "GET \/v3\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.122 Safari\/537.36 Vivaldi\/2.3.1440.61\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: c",
"payload_snippet": "GET \/v3\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,",
"evidence": {
"method": "GET",
"path": "\/v3\/.git\/config",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.122 Safari\/537.36 Vivaldi\/2.3.1440.61",
"waf_tags": [
"950316:lfi-14",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/v3\/.git\/config HTTP\/1.1",
"request_sample": "GET \/v3\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.122 Safari\/537.36 Vivaldi\/2.3.1440.61\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: c",
"payload_snippet": "GET \/v3\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ff66e2f34058054ed46fe4087f3a57b9f8f92b60",
"protocol_details": {
"http_method": "GET",
"http_path": "\/v3\/.git\/config",
"request_line": "GET \/v3\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.122 Safari\/537.36 Vivaldi\/\u2026",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/v3\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,",
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v3\/.git\/config",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 71,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 71,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/v3\/.git\/config",
"request_line": "GET \/v3\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.122 Safari\/537.36 Vivaldi\/\u2026",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v3\/.git\/config",
"evidence_snippet": "GET \/v3\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"weblogic-ssl"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950316:lfi-14",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:47 UTC
TCP
7002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:7002 · (tentative d'exploit) · → /assets/.git/config
Élevée
Élevé · 71
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /assets/.git/config UA Mozilla/5.0 (X11; FreeBSD amd64) AppleWebKit/537.4 (KHTML like …
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/assets/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
7002
Chemin / cible
/assets/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 71
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /assets/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (X11; FreeBSD amd64) AppleWebKit/537.4 (KHTML like Gecko) Chrome/22.0.1229.79 Safari/537.4
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /assets/.git/config HTTP/1.1
Host: 62.3.50.33:7002
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64) AppleWebKit/537.4 (KHTML l
Requête brute (extrait)
GET /assets/.git/config HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64) AppleWebKit/537.4 (KHTML like Gecko) Chrome/22.0.1229.79 Safari/537.4 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "201cf1809e94e9e144ec879342a4208edaa36583",
"http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff",
"http_target_hash": "e81ca9a0554d6690b053d3acc558b05833b1c696",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 240,
"payload_entropy": 5.419862850244947,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.3,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 71,
"tag_count": 9,
"anomaly_count": 0,
"campaign_key": "94bdf61e74a038e362de0ed8c447adcb0edf9870",
"event_fingerprint": "859bcbc6e19e7940ad12caf78d2722c9a897c378",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 71,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "ab9ce12154ef6508e330784ba3d9fd73",
"payload_hash": "ed02be924dc4462668835b9b783e48b7",
"path_pattern_hash": "70c13b709566f458c71892575aa001e0"
},
"target_context": {
"dst_port": 7002,
"service": "http",
"service_name": "http",
"risk_score": 71
},
"payload_preview": "GET \/assets\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD amd64) AppleWebKit\/537.4 (KHTML l",
"method": "GET",
"path": "\/assets\/.git\/config",
"user_agent": "Mozilla\/5.0 (X11; FreeBSD amd64) AppleWebKit\/537.4 (KHTML like Gecko) Chrome\/22.0.1229.79 Safari\/537.4",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/assets\/.git\/config HTTP\/1.1",
"request_sample": "GET \/assets\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD amd64) AppleWebKit\/537.4 (KHTML like Gecko) Chrome\/22.0.1229.79 Safari\/537.4\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/assets\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD amd64) AppleWebKit\/537.4 (KHTML l",
"evidence": {
"method": "GET",
"path": "\/assets\/.git\/config",
"user_agent": "Mozilla\/5.0 (X11; FreeBSD amd64) AppleWebKit\/537.4 (KHTML like Gecko) Chrome\/22.0.1229.79 Safari\/537.4",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/assets\/.git\/config HTTP\/1.1",
"request_sample": "GET \/assets\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD amd64) AppleWebKit\/537.4 (KHTML like Gecko) Chrome\/22.0.1229.79 Safari\/537.4\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/assets\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD amd64) AppleWebKit\/537.4 (KHTML l",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a905b60a5be634f0ffcd0fc1d12b5db9be66bf56",
"protocol_details": {
"http_method": "GET",
"http_path": "\/assets\/.git\/config",
"request_line": "GET \/assets\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; FreeBSD amd64) AppleWebKit\/537.4 (KHTML like Gecko) Chrome\/22.0.1229.79 Safari\/537.4",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/assets\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD amd64) AppleWebKit\/537.4 (KHTML l",
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/assets\/.git\/config",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 71,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 71,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/assets\/.git\/config",
"request_line": "GET \/assets\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; FreeBSD amd64) AppleWebKit\/537.4 (KHTML like Gecko) Chrome\/22.0.1229.79 Safari\/537.4",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/assets\/.git\/config",
"evidence_snippet": "GET \/assets\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD amd64) AppleWebKit\/537.4 (KHTML l",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"weblogic-ssl"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_probe_assets",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:47 UTC
TCP
7002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:7002 · (tentative d'exploit) · → /html/.git/config
Élevée
Élevé · 70
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /html/.git/config UA Mozilla/5.0 (Linux; Android 8.0.0; SM-G930V) AppleWebKit/537.36…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/html/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
7002
Chemin / cible
/html/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 70
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /html/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 8.0.0; SM-G930V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /html/.git/config HTTP/1.1
Host: 62.3.50.33:7002
User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G930V) AppleWebKit/537.
Requête brute (extrait)
GET /html/.git/config HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G930V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "6aff732470fe58bd4790fe0369b32e207e465d2c",
"http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff",
"http_target_hash": "ed148acba970ce3061829b4dd97608d1a6997773",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 260,
"payload_entropy": 5.401303948540164,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.1,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 70,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "d35979a4f83294db537bad1f5a93ab6479babcb4",
"event_fingerprint": "9b12c99ad7e535a0f0126944d7ff01cf3c2bf8d7",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d2969e11d9e76c7da7c32972b11502fc",
"payload_hash": "2bce9ef80ab294b09edd392b5f8cac6e",
"path_pattern_hash": "985e825857a4aae20b7bcc62b05870c4"
},
"target_context": {
"dst_port": 7002,
"service": "http",
"service_name": "http",
"risk_score": 70
},
"payload_preview": "GET \/html\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930V) AppleWebKit\/537.",
"method": "GET",
"path": "\/html\/.git\/config",
"user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930V) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/html\/.git\/config HTTP\/1.1",
"request_sample": "GET \/html\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930V) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close",
"payload_snippet": "GET \/html\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930V) AppleWebKit\/537.",
"evidence": {
"method": "GET",
"path": "\/html\/.git\/config",
"user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930V) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/html\/.git\/config HTTP\/1.1",
"request_sample": "GET \/html\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930V) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close",
"payload_snippet": "GET \/html\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930V) AppleWebKit\/537.",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "baac4037672e6687da85f00b28f3848f8b527c40",
"protocol_details": {
"http_method": "GET",
"http_path": "\/html\/.git\/config",
"request_line": "GET \/html\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930V) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/5\u2026",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/html\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930V) AppleWebKit\/537.",
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/html\/.git\/config",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 70,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/html\/.git\/config",
"request_line": "GET \/html\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930V) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/5\u2026",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/html\/.git\/config",
"evidence_snippet": "GET \/html\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930V) AppleWebKit\/537.",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"weblogic-ssl"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:47 UTC
TCP
7002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:7002 · (tentative d'exploit) · → /static/.git/config
Élevée
Élevé · 71
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /static/.git/config UA Mozilla/5.0 (X11; Linux i686; rv:43.0) Gecko/20100101 Firefox/4…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/static/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
7002
Chemin / cible
/static/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 71
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /static/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (X11; Linux i686; rv:43.0) Gecko/20100101 Firefox/43.0
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /static/.git/config HTTP/1.1
Host: 62.3.50.33:7002
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:43.0) Gecko/20100101 Firef
Requête brute (extrait)
GET /static/.git/config HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:43.0) Gecko/20100101 Firefox/43.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "15528fa78e49979e5ff61eebeb8d1ed1381abbfc",
"http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff",
"http_target_hash": "521a53c26ae63c9f634cf4a8753a3e9a31c14380",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 204,
"payload_entropy": 5.245136450452258,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.3,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 71,
"tag_count": 9,
"anomaly_count": 0,
"campaign_key": "7a145250afc08b4b2638cf7b77141654b3d5e67a",
"event_fingerprint": "9819b34c777e80bdbd556c86d8d385ce4c3d65f0",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 71,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "b2900afb58cd43a1b2c3d7cbe62be4b4",
"payload_hash": "cc1650086497f52c7c551ca037ff9f08",
"path_pattern_hash": "8991b5397bf20ed66988d72bf753894a"
},
"target_context": {
"dst_port": 7002,
"service": "http",
"service_name": "http",
"risk_score": 71
},
"payload_preview": "GET \/static\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:43.0) Gecko\/20100101 Firef",
"method": "GET",
"path": "\/static\/.git\/config",
"user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:43.0) Gecko\/20100101 Firefox\/43.0",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/static\/.git\/config HTTP\/1.1",
"request_sample": "GET \/static\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:43.0) Gecko\/20100101 Firefox\/43.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/static\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:43.0) Gecko\/20100101 Firef",
"evidence": {
"method": "GET",
"path": "\/static\/.git\/config",
"user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:43.0) Gecko\/20100101 Firefox\/43.0",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/static\/.git\/config HTTP\/1.1",
"request_sample": "GET \/static\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:43.0) Gecko\/20100101 Firefox\/43.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/static\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:43.0) Gecko\/20100101 Firef",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "afffc1a2bc72a083e5c0b1d5d6697f6c42322d0d",
"protocol_details": {
"http_method": "GET",
"http_path": "\/static\/.git\/config",
"request_line": "GET \/static\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:43.0) Gecko\/20100101 Firefox\/43.0",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/static\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:43.0) Gecko\/20100101 Firef",
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/static\/.git\/config",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 71,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 71,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/static\/.git\/config",
"request_line": "GET \/static\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:43.0) Gecko\/20100101 Firefox\/43.0",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/static\/.git\/config",
"evidence_snippet": "GET \/static\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:43.0) Gecko\/20100101 Firef",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"weblogic-ssl"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_probe_static",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:47 UTC
TCP
7002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:7002 · (tentative d'exploit) · → /public/.git/config
Élevée
Élevé · 70
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /public/.git/config UA Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like G…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/public/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
7002
Chemin / cible
/public/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 70
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /public/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2166.2 Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /public/.git/config HTTP/1.1
Host: 62.3.50.33:7002
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, li
Requête brute (extrait)
GET /public/.git/config HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2166.2 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "e42dfe396cecc2f95ce9656f4afdef6a1db82c8a",
"http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff",
"http_target_hash": "8257582ae447b9a2124e0414764cac0aac8808de",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 239,
"payload_entropy": 5.3801223891210395,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.1,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 70,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "d35979a4f83294db537bad1f5a93ab6479babcb4",
"event_fingerprint": "147ebbb1207c3290af04db59a52e74dc8c00731a",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "8af73b7f8aafd20609016b2b3181f8bf",
"payload_hash": "cd1dab8ef10e452d82fbad09f65b725a",
"path_pattern_hash": "78b85c05b86f9869fecb7907511b414c"
},
"target_context": {
"dst_port": 7002,
"service": "http",
"service_name": "http",
"risk_score": 70
},
"payload_preview": "GET \/public\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, li",
"method": "GET",
"path": "\/public\/.git\/config",
"user_agent": "Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/39.0.2166.2 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/public\/.git\/config HTTP\/1.1",
"request_sample": "GET \/public\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/39.0.2166.2 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/public\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, li",
"evidence": {
"method": "GET",
"path": "\/public\/.git\/config",
"user_agent": "Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/39.0.2166.2 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/public\/.git\/config HTTP\/1.1",
"request_sample": "GET \/public\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/39.0.2166.2 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/public\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, li",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "1b8e6afae30912a7697398c7eba7559e7f31cd3c",
"protocol_details": {
"http_method": "GET",
"http_path": "\/public\/.git\/config",
"request_line": "GET \/public\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/39.0.2166.2 Safari\/537.36",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/public\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, li",
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/public\/.git\/config",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 70,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/public\/.git\/config",
"request_line": "GET \/public\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/39.0.2166.2 Safari\/537.36",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/public\/.git\/config",
"evidence_snippet": "GET \/public\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, li",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"weblogic-ssl"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:47 UTC
TCP
7002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:7002 · (tentative d'exploit) · → /dist/.git/config
Élevée
Élevé · 71
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /dist/.git/config UA Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleW…
Émulateur
HTTP
WAF
34
Recommandation
Investiguer
Tags
950086:sqli-21
950326:rce-0
950468:nosqli-3
950470:nosqli-3
Cible HTTP
GET
/dist/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
7002
Chemin / cible
/dist/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « sqli-21 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 71
Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /dist/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15G77 MicroMessenger/7.0.3(0x17000321) NetType/WIFI Language/zh_CN
Règles WAF
sqli-21
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /dist/.git/config HTTP/1.1
Host: 62.3.50.33:7002
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) Appl
Requête brute (extrait)
GET /dist/.git/config HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15G77 MicroMessenger/7.0.3(0x17000321) NetType/WIFI Language/zh_CN Accept-Charset:
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "4bb4290188685f5033767113f92b3972ed7795d9",
"http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff",
"http_target_hash": "b2ec2395164738dbd60ce81f264be6255104bfff",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 307,
"payload_entropy": 5.438442671937824,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.3,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 71,
"tag_count": 9,
"anomaly_count": 0,
"campaign_key": "8cfe7cb9fb494532fdc0af99ecb3157c0e2745b1",
"event_fingerprint": "bcfb633d64e7842f3cf3294af9610e3823d44c85",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 71,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "32be96c38f74d9e299607618d54e6b44",
"payload_hash": "c580e52c697f9ae42903d07af2ee5007",
"path_pattern_hash": "dd1606cd54dc95eed2c024184678427e"
},
"target_context": {
"dst_port": 7002,
"service": "http",
"service_name": "http",
"risk_score": 71
},
"payload_preview": "GET \/dist\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) Appl",
"method": "GET",
"path": "\/dist\/.git\/config",
"user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15G77 MicroMessenger\/7.0.3(0x17000321) NetType\/WIFI Language\/zh_CN",
"waf_tags": [
"950086:sqli-21",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"sqli-21",
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/dist\/.git\/config HTTP\/1.1",
"request_sample": "GET \/dist\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15G77 MicroMessenger\/7.0.3(0x17000321) NetType\/WIFI Language\/zh_CN\r\nAccept-Charset: ",
"payload_snippet": "GET \/dist\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) Appl",
"evidence": {
"method": "GET",
"path": "\/dist\/.git\/config",
"user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15G77 MicroMessenger\/7.0.3(0x17000321) NetType\/WIFI Language\/zh_CN",
"waf_tags": [
"950086:sqli-21",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"sqli-21",
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/dist\/.git\/config HTTP\/1.1",
"request_sample": "GET \/dist\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15G77 MicroMessenger\/7.0.3(0x17000321) NetType\/WIFI Language\/zh_CN\r\nAccept-Charset: ",
"payload_snippet": "GET \/dist\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) Appl",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8aa9ad7ccfb6738a40a0b0af0219ed2afe666519",
"protocol_details": {
"http_method": "GET",
"http_path": "\/dist\/.git\/config",
"request_line": "GET \/dist\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15G77 MicroMes\u2026",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/dist\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) Appl",
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/dist\/.git\/config",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 71,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 71,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/dist\/.git\/config",
"request_line": "GET \/dist\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15G77 MicroMes\u2026",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/dist\/.git\/config",
"evidence_snippet": "GET \/dist\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) Appl",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"weblogic-ssl"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950086:sqli-21",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:47 UTC
TCP
7002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:7002 · (tentative d'exploit) · → /build/.git/config
Élevée
Élevé · 70
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /build/.git/config UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/build/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
7002
Chemin / cible
/build/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 70
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /build/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.1.2 Safari/603.3.8
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /build/.git/config HTTP/1.1
Host: 62.3.50.33:7002
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/
Requête brute (extrait)
GET /build/.git/config HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.1.2 Safari/603.3.8 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "73f886f1ed596334e49283d03c4022d1546ce9ee",
"http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff",
"http_target_hash": "6aeebdefc1a7f3903e2f068a42149eb080915c7b",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 254,
"payload_entropy": 5.352737923360261,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.1,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 70,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "d35979a4f83294db537bad1f5a93ab6479babcb4",
"event_fingerprint": "ee5c0563908c575af6b3ee77dd2b462a35060316",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "a25df57e234ab2a397e1a011a6bee826",
"payload_hash": "68b43d0126f297935131d215e244f901",
"path_pattern_hash": "203627ae3f02d834b42dc778d4676888"
},
"target_context": {
"dst_port": 7002,
"service": "http",
"service_name": "http",
"risk_score": 70
},
"payload_preview": "GET \/build\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/",
"method": "GET",
"path": "\/build\/.git\/config",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/603.3.8 (KHTML, like Gecko) Version\/10.1.2 Safari\/603.3.8",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/build\/.git\/config HTTP\/1.1",
"request_sample": "GET \/build\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/603.3.8 (KHTML, like Gecko) Version\/10.1.2 Safari\/603.3.8\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/build\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/",
"evidence": {
"method": "GET",
"path": "\/build\/.git\/config",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/603.3.8 (KHTML, like Gecko) Version\/10.1.2 Safari\/603.3.8",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/build\/.git\/config HTTP\/1.1",
"request_sample": "GET \/build\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/603.3.8 (KHTML, like Gecko) Version\/10.1.2 Safari\/603.3.8\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/build\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6acc352ddef62ba694cf99eae504760d21d6f576",
"protocol_details": {
"http_method": "GET",
"http_path": "\/build\/.git\/config",
"request_line": "GET \/build\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/603.3.8 (KHTML, like Gecko) Version\/10.1.2 Safari\/603.3.8",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/build\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/",
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/build\/.git\/config",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 70,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/build\/.git\/config",
"request_line": "GET \/build\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/603.3.8 (KHTML, like Gecko) Version\/10.1.2 Safari\/603.3.8",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/build\/.git\/config",
"evidence_snippet": "GET \/build\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"weblogic-ssl"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:47 UTC
TCP
7002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:7002 · (tentative d'exploit) · → /admin/.git/config
Élevée
Élevé · 71
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /admin/.git/config UA Opera/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/admin/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
7002
Chemin / cible
/admin/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 71
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
ET Magento admin
ES admin GET
ActiveMQ console
Ligne de requête
GET /admin/.git/config HTTP/1.1
User-Agent
Opera/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto/2.12.388 Version/12.10
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /admin/.git/config HTTP/1.1
Host: 62.3.50.33:7002
User-Agent: Opera/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Pre
Requête brute (extrait)
GET /admin/.git/config HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Opera/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto/2.12.388 Version/12.10 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "01d5fbf93a54fabb8ab22591bb3459434f9dab9f",
"http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff",
"http_target_hash": "0d4fda54689ca91aa1cd9ce83cd7fe814ab26468",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 223,
"payload_entropy": 5.290737638942311,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.3,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 71,
"tag_count": 11,
"anomaly_count": 0,
"campaign_key": "b9e06f68b0b5d3d2fab0e53eef3ab56af9a7c673",
"event_fingerprint": "96a8d2a0865efa5c214a7948290d9a1b5fc540e6",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0854",
"pat-0341",
"pat-0606"
],
"matched_pattern_names": [
"ET Magento admin",
"ES admin GET",
"ActiveMQ console"
],
"pattern_ids": [
"pat-0854",
"pat-0341",
"pat-0606"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 71,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "92fb9085c955383e740262552eee1da9",
"payload_hash": "bf16b2915e7885920e2c9a468a5d0346",
"path_pattern_hash": "b0ac58c50c927a70e841faaa3da36222"
},
"target_context": {
"dst_port": 7002,
"service": "http",
"service_name": "http",
"risk_score": 71
},
"payload_preview": "GET \/admin\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Pre",
"method": "GET",
"path": "\/admin\/.git\/config",
"user_agent": "Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto\/2.12.388 Version\/12.10",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/admin\/.git\/config HTTP\/1.1",
"request_sample": "GET \/admin\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto\/2.12.388 Version\/12.10\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/admin\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Pre",
"evidence": {
"method": "GET",
"path": "\/admin\/.git\/config",
"user_agent": "Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto\/2.12.388 Version\/12.10",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/admin\/.git\/config HTTP\/1.1",
"request_sample": "GET \/admin\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto\/2.12.388 Version\/12.10\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/admin\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Pre",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "43f36d0017219c2a65c42d608df46cc30a7e2854",
"protocol_details": {
"http_method": "GET",
"http_path": "\/admin\/.git\/config",
"request_line": "GET \/admin\/.git\/config HTTP\/1.1",
"http_user_agent": "Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto\/2.12.388 Version\/12.10",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/admin\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Pre",
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/admin\/.git\/config",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 71,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 71,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/admin\/.git\/config",
"request_line": "GET \/admin\/.git\/config HTTP\/1.1",
"http_user_agent": "Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto\/2.12.388 Version\/12.10",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/admin\/.git\/config",
"evidence_snippet": "GET \/admin\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Pre",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"weblogic-ssl"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_admin_panel_probe",
"http_admin_panel_scan",
"http_backup_file_scan",
"http_git_exposure",
"http_probe_admin",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 1,
"behavior_priority": 72
}
15/06/2026 21:08:47 UTC
TCP
7002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:7002 · (tentative d'exploit) · → /htdocs/.git/config
Élevée
Élevé · 70
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /htdocs/.git/config UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/htdocs/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
7002
Chemin / cible
/htdocs/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 70
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /htdocs/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1 Safari/605.1.15
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /htdocs/.git/config HTTP/1.1
Host: 62.3.50.33:7002
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit
Requête brute (extrait)
GET /htdocs/.git/config HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1 Safari/605.1.15 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "18d0c4c66bfeb47f5713a590ffcf98a2b0de5ca4",
"http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff",
"http_target_hash": "91751256d60394a8b0340bb86ad1a8313b8dadfa",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 255,
"payload_entropy": 5.326356914451816,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.1,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 70,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "d35979a4f83294db537bad1f5a93ab6479babcb4",
"event_fingerprint": "ec0bcaa61af751b40d9095d80eeaf99b7ef48314",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "ea9a3dec4dce8747ef8c835f03590297",
"payload_hash": "12714c6e4fe4996c2cd9996036f81bbc",
"path_pattern_hash": "9d5b4b02a118c63f9864fb4303c2c2fa"
},
"target_context": {
"dst_port": 7002,
"service": "http",
"service_name": "http",
"risk_score": 70
},
"payload_preview": "GET \/htdocs\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit",
"method": "GET",
"path": "\/htdocs\/.git\/config",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1 Safari\/605.1.15",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/htdocs\/.git\/config HTTP\/1.1",
"request_sample": "GET \/htdocs\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/htdocs\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit",
"evidence": {
"method": "GET",
"path": "\/htdocs\/.git\/config",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1 Safari\/605.1.15",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/htdocs\/.git\/config HTTP\/1.1",
"request_sample": "GET \/htdocs\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/htdocs\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "12cdcb95ded4fae617aa4f8b652078d7394f85fe",
"protocol_details": {
"http_method": "GET",
"http_path": "\/htdocs\/.git\/config",
"request_line": "GET \/htdocs\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1 Safari\/605.1.15",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/htdocs\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit",
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/htdocs\/.git\/config",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 70,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/htdocs\/.git\/config",
"request_line": "GET \/htdocs\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1 Safari\/605.1.15",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/htdocs\/.git\/config",
"evidence_snippet": "GET \/htdocs\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"weblogic-ssl"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:47 UTC
TCP
7002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:7002 · (tentative d'exploit) · → /site/.git/config
Élevée
Élevé · 70
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /site/.git/config UA Mozilla/5.0 (Linux; U; Android 1.5; en-us; htc_bahamas Build/CR…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/site/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
7002
Chemin / cible
/site/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 70
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /site/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; U; Android 1.5; en-us; htc_bahamas Build/CRB17) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /site/.git/config HTTP/1.1
Host: 62.3.50.33:7002
User-Agent: Mozilla/5.0 (Linux; U; Android 1.5; en-us; htc_bahamas Build/
Requête brute (extrait)
GET /site/.git/config HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Linux; U; Android 1.5; en-us; htc_bahamas Build/CRB17) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 Accept-Charset: utf-8 Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "367757f04e1ae0a0d238cc52c5aaff038ddcbe2e",
"http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff",
"http_target_hash": "99d75e39037b11054e155a03133c80282ea1c965",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 279,
"payload_entropy": 5.381406157677166,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.1,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 70,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "d35979a4f83294db537bad1f5a93ab6479babcb4",
"event_fingerprint": "7d058294f50e2e61264d2bf6ea76da7c86d27c49",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "5db3288ac19f9564403bfc6ad9ce9089",
"payload_hash": "099109677d0c1385f2f65b221f9d50aa",
"path_pattern_hash": "6901c63c2daa99b93d9d7c027371b852"
},
"target_context": {
"dst_port": 7002,
"service": "http",
"service_name": "http",
"risk_score": 70
},
"payload_preview": "GET \/site\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-us; htc_bahamas Build\/",
"method": "GET",
"path": "\/site\/.git\/config",
"user_agent": "Mozilla\/5.0 (Linux; U; Android 1.5; en-us; htc_bahamas Build\/CRB17) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/site\/.git\/config HTTP\/1.1",
"request_sample": "GET \/site\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-us; htc_bahamas Build\/CRB17) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip",
"payload_snippet": "GET \/site\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-us; htc_bahamas Build\/",
"evidence": {
"method": "GET",
"path": "\/site\/.git\/config",
"user_agent": "Mozilla\/5.0 (Linux; U; Android 1.5; en-us; htc_bahamas Build\/CRB17) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/site\/.git\/config HTTP\/1.1",
"request_sample": "GET \/site\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-us; htc_bahamas Build\/CRB17) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip",
"payload_snippet": "GET \/site\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-us; htc_bahamas Build\/",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b6315bb040d7f3e77d2df8ac258f93f319e8ff09",
"protocol_details": {
"http_method": "GET",
"http_path": "\/site\/.git\/config",
"request_line": "GET \/site\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; U; Android 1.5; en-us; htc_bahamas Build\/CRB17) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.\u2026",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/site\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-us; htc_bahamas Build\/",
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/site\/.git\/config",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 70,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/site\/.git\/config",
"request_line": "GET \/site\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; U; Android 1.5; en-us; htc_bahamas Build\/CRB17) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.\u2026",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/site\/.git\/config",
"evidence_snippet": "GET \/site\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-us; htc_bahamas Build\/",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"weblogic-ssl"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:47 UTC
TCP
7002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:7002 · (tentative d'exploit) · → /dashboard/.git/config
Élevée
Élevé · 71
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /dashboard/.git/config UA Mozilla/5.0 (Linux; Android 9; moto g(6)) AppleWebKit/537.36 (K…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/dashboard/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
7002
Chemin / cible
/dashboard/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 71
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /dashboard/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 9; moto g(6)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /dashboard/.git/config HTTP/1.1
Host: 62.3.50.33:7002
User-Agent: Mozilla/5.0 (Linux; Android 9; moto g(6)) AppleWebKit/53
Requête brute (extrait)
GET /dashboard/.git/config HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Linux; Android 9; moto g(6)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: cl
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "031ff0258154d1eac873b26f3492f9a96a7bd2d9",
"http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff",
"http_target_hash": "8e8dab3e424b71a244774110fadcc774ba40fa59",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 263,
"payload_entropy": 5.386717093523237,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.3,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 71,
"tag_count": 9,
"anomaly_count": 0,
"campaign_key": "6b4fe3b24e76550620e766c95cac93caa010286c",
"event_fingerprint": "6968aa47ff3c27faaa00beb379c20f6445dcfe2b",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 71,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c2f37b314141013853374c7f76ffa74e",
"payload_hash": "c875b3d6f275d6ee31547e948f494034",
"path_pattern_hash": "33b0aba70ccc7970e9e866f8e50aaddb"
},
"target_context": {
"dst_port": 7002,
"service": "http",
"service_name": "http",
"risk_score": 71
},
"payload_preview": "GET \/dashboard\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(6)) AppleWebKit\/53",
"method": "GET",
"path": "\/dashboard\/.git\/config",
"user_agent": "Mozilla\/5.0 (Linux; Android 9; moto g(6)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/dashboard\/.git\/config HTTP\/1.1",
"request_sample": "GET \/dashboard\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(6)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl",
"payload_snippet": "GET \/dashboard\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(6)) AppleWebKit\/53",
"evidence": {
"method": "GET",
"path": "\/dashboard\/.git\/config",
"user_agent": "Mozilla\/5.0 (Linux; Android 9; moto g(6)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/dashboard\/.git\/config HTTP\/1.1",
"request_sample": "GET \/dashboard\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(6)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl",
"payload_snippet": "GET \/dashboard\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(6)) AppleWebKit\/53",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f3ccc1ed03de74dc69a4fb22e8647658569dda73",
"protocol_details": {
"http_method": "GET",
"http_path": "\/dashboard\/.git\/config",
"request_line": "GET \/dashboard\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 9; moto g(6)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537\u2026",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/dashboard\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(6)) AppleWebKit\/53",
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/dashboard\/.git\/config",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 71,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 71,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/dashboard\/.git\/config",
"request_line": "GET \/dashboard\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 9; moto g(6)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537\u2026",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/dashboard\/.git\/config",
"evidence_snippet": "GET \/dashboard\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(6)) AppleWebKit\/53",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"weblogic-ssl"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_probe_traefik",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:47 UTC
TCP
7002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:7002 · (tentative d'exploit) · → /portal/.git/config
Élevée
Élevé · 70
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /portal/.git/config UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/portal/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
7002
Chemin / cible
/portal/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 70
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /portal/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.2 Safari/605.1.15
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /portal/.git/config HTTP/1.1
Host: 62.3.50.33:7002
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit
Requête brute (extrait)
GET /portal/.git/config HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.2 Safari/605.1.15 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "91ece6334beb879a824a06c33b4cb4240e4c6f56",
"http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff",
"http_target_hash": "c6c2b01731ed2b569c9ab907e9a96206a2cfc6cc",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 257,
"payload_entropy": 5.320257302993195,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.1,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 70,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "d35979a4f83294db537bad1f5a93ab6479babcb4",
"event_fingerprint": "39f23a0ebe2d5a41ff03fd059cacf4eb6807d8ff",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "27a2558c36538127dcb1af9bbb95af64",
"payload_hash": "e87b06bc09c88f677a3c4607e05411da",
"path_pattern_hash": "b68e69ddda3386f78de437bb71fa9236"
},
"target_context": {
"dst_port": 7002,
"service": "http",
"service_name": "http",
"risk_score": 70
},
"payload_preview": "GET \/portal\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit",
"method": "GET",
"path": "\/portal\/.git\/config",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0.2 Safari\/605.1.15",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/portal\/.git\/config HTTP\/1.1",
"request_sample": "GET \/portal\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0.2 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r",
"payload_snippet": "GET \/portal\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit",
"evidence": {
"method": "GET",
"path": "\/portal\/.git\/config",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0.2 Safari\/605.1.15",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/portal\/.git\/config HTTP\/1.1",
"request_sample": "GET \/portal\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0.2 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r",
"payload_snippet": "GET \/portal\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "5e1337a12631f19a51cfe5e24e36e7743e8b8d72",
"protocol_details": {
"http_method": "GET",
"http_path": "\/portal\/.git\/config",
"request_line": "GET \/portal\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0.2 Safari\/605.1.15",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/portal\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit",
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/portal\/.git\/config",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 70,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/portal\/.git\/config",
"request_line": "GET \/portal\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0.2 Safari\/605.1.15",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/portal\/.git\/config",
"evidence_snippet": "GET \/portal\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"weblogic-ssl"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:47 UTC
TCP
7002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:7002 · (tentative d'exploit) · → /wp-content/.git/config
Élevée
Élevé · 70
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /wp-content/.git/config UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/wp-content/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
7002
Chemin / cible
/wp-content/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 70
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /wp-content/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1 Safari/605.1.15
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /wp-content/.git/config HTTP/1.1
Host: 62.3.50.33:7002
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWe
Requête brute (extrait)
GET /wp-content/.git/config HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1 Safari/605.1.15 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "18d0c4c66bfeb47f5713a590ffcf98a2b0de5ca4",
"http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff",
"http_target_hash": "1cbb6121d6675be288abb212d6a93556d924de3d",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 259,
"payload_entropy": 5.317827672915061,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.1,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 70,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "d35979a4f83294db537bad1f5a93ab6479babcb4",
"event_fingerprint": "82b0bc5ce7f981616d26fc32bb897907b3f6ecb0",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "ea9a3dec4dce8747ef8c835f03590297",
"payload_hash": "69c6676f03303a925552553aa54247dd",
"path_pattern_hash": "653b421a6e10a22436e18cc595f6a1ee"
},
"target_context": {
"dst_port": 7002,
"service": "http",
"service_name": "http",
"risk_score": 70
},
"payload_preview": "GET \/wp-content\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWe",
"method": "GET",
"path": "\/wp-content\/.git\/config",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1 Safari\/605.1.15",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/wp-content\/.git\/config HTTP\/1.1",
"request_sample": "GET \/wp-content\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r",
"payload_snippet": "GET \/wp-content\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWe",
"evidence": {
"method": "GET",
"path": "\/wp-content\/.git\/config",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1 Safari\/605.1.15",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/wp-content\/.git\/config HTTP\/1.1",
"request_sample": "GET \/wp-content\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r",
"payload_snippet": "GET \/wp-content\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWe",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f363f2be9dfb6e23f968c103557022a2b7f721af",
"protocol_details": {
"http_method": "GET",
"http_path": "\/wp-content\/.git\/config",
"request_line": "GET \/wp-content\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1 Safari\/605.1.15",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/wp-content\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWe",
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wp-content\/.git\/config",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 70,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/wp-content\/.git\/config",
"request_line": "GET \/wp-content\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1 Safari\/605.1.15",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wp-content\/.git\/config",
"evidence_snippet": "GET \/wp-content\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWe",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"weblogic-ssl"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:47 UTC
TCP
7002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:7002 · (tentative d'exploit) · → /blog/.git/config
Élevée
Élevé · 70
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /blog/.git/config UA Mozilla/5.0 (Linux; Android 4.0.4; BNTV400 Build/IMM76L) AppleW…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/blog/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
7002
Chemin / cible
/blog/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 70
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /blog/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 4.0.4; BNTV400 Build/IMM76L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.111 Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /blog/.git/config HTTP/1.1
Host: 62.3.50.33:7002
User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; BNTV400 Build/IMM76L) Appl
Requête brute (extrait)
GET /blog/.git/config HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; BNTV400 Build/IMM76L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.111 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection:
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "b872393454d8679ae61da75ad761a12f6c96eef0",
"http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff",
"http_target_hash": "1813dede65bdf71d338345f47e16a42344128e28",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 266,
"payload_entropy": 5.456737317189657,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.1,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 70,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "d35979a4f83294db537bad1f5a93ab6479babcb4",
"event_fingerprint": "ac62762d7659788219430a1448a44b417e639ad9",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "531b6c86ae06578596b1078f2ca6eb01",
"payload_hash": "c7c47e77f4fba2a9438cf12d7b96f33f",
"path_pattern_hash": "daa6f35b77a4b5cee3d40cc9dc6869ad"
},
"target_context": {
"dst_port": 7002,
"service": "http",
"service_name": "http",
"risk_score": 70
},
"payload_preview": "GET \/blog\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.0.4; BNTV400 Build\/IMM76L) Appl",
"method": "GET",
"path": "\/blog\/.git\/config",
"user_agent": "Mozilla\/5.0 (Linux; Android 4.0.4; BNTV400 Build\/IMM76L) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.111 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/blog\/.git\/config HTTP\/1.1",
"request_sample": "GET \/blog\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.0.4; BNTV400 Build\/IMM76L) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.111 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection:",
"payload_snippet": "GET \/blog\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.0.4; BNTV400 Build\/IMM76L) Appl",
"evidence": {
"method": "GET",
"path": "\/blog\/.git\/config",
"user_agent": "Mozilla\/5.0 (Linux; Android 4.0.4; BNTV400 Build\/IMM76L) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.111 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/blog\/.git\/config HTTP\/1.1",
"request_sample": "GET \/blog\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.0.4; BNTV400 Build\/IMM76L) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.111 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection:",
"payload_snippet": "GET \/blog\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.0.4; BNTV400 Build\/IMM76L) Appl",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "82e08c6f7041c1edf80adb3849345adb40bea98f",
"protocol_details": {
"http_method": "GET",
"http_path": "\/blog\/.git\/config",
"request_line": "GET \/blog\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 4.0.4; BNTV400 Build\/IMM76L) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.111 Sa\u2026",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/blog\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.0.4; BNTV400 Build\/IMM76L) Appl",
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/blog\/.git\/config",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 70,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/blog\/.git\/config",
"request_line": "GET \/blog\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 4.0.4; BNTV400 Build\/IMM76L) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.111 Sa\u2026",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/blog\/.git\/config",
"evidence_snippet": "GET \/blog\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.0.4; BNTV400 Build\/IMM76L) Appl",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"weblogic-ssl"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:47 UTC
TCP
7002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:7002 · (tentative d'exploit) · → /laravel/.git/config
Élevée
Élevé · 70
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /laravel/.git/config UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/laravel/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
7002
Chemin / cible
/laravel/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 70
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /laravel/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /laravel/.git/config HTTP/1.1
Host: 62.3.50.33:7002
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKi
Requête brute (extrait)
GET /laravel/.git/config HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "1d7bfbdc6c4b69494bd0e4554833ba029685cda3",
"http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff",
"http_target_hash": "ff65c052e15f784544b91aafeff8e6c3f996fc2a",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 260,
"payload_entropy": 5.4025132600616,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.1,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 70,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "d35979a4f83294db537bad1f5a93ab6479babcb4",
"event_fingerprint": "df428d5fe07dfad61d8cd69781ed53024c4c0929",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "fdc75d0206e3c1b96e6c09988b26d975",
"payload_hash": "eb30ac6283fb9637a114c0b909e3bfac",
"path_pattern_hash": "3a3de1279fd8fe4dc4799f8620f7768e"
},
"target_context": {
"dst_port": 7002,
"service": "http",
"service_name": "http",
"risk_score": 70
},
"payload_preview": "GET \/laravel\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKi",
"method": "GET",
"path": "\/laravel\/.git\/config",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/laravel\/.git\/config HTTP\/1.1",
"request_sample": "GET \/laravel\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close",
"payload_snippet": "GET \/laravel\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKi",
"evidence": {
"method": "GET",
"path": "\/laravel\/.git\/config",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/laravel\/.git\/config HTTP\/1.1",
"request_sample": "GET \/laravel\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close",
"payload_snippet": "GET \/laravel\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKi",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "4eae46477bb6175d1b04a98470b4fd6c90313c27",
"protocol_details": {
"http_method": "GET",
"http_path": "\/laravel\/.git\/config",
"request_line": "GET \/laravel\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.\u2026",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/laravel\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKi",
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/laravel\/.git\/config",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 70,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/laravel\/.git\/config",
"request_line": "GET \/laravel\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.\u2026",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/laravel\/.git\/config",
"evidence_snippet": "GET \/laravel\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKi",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"weblogic-ssl"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:47 UTC
TCP
7002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:7002 · (tentative d'exploit) · → /wordpress/.git/config
Élevée
Élevé · 70
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /wordpress/.git/config UA Mozilla/5.0 (Linux; U; Android 2.0; en-us; Droid Build/ESD20) A…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/wordpress/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
7002
Chemin / cible
/wordpress/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 70
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /wordpress/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; U; Android 2.0; en-us; Droid Build/ESD20) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /wordpress/.git/config HTTP/1.1
Host: 62.3.50.33:7002
User-Agent: Mozilla/5.0 (Linux; U; Android 2.0; en-us; Droid Build/E
Requête brute (extrait)
GET /wordpress/.git/config HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Linux; U; Android 2.0; en-us; Droid Build/ESD20) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17 Accept-Charset: utf-8 Accept-Encoding: gzip Con
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "5293452ed8d7216a03ae39f1716f94c020355bda",
"http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff",
"http_target_hash": "466d1ef9599315e8ea185d729b1bb7f4ef3f3e3e",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 274,
"payload_entropy": 5.373075124299916,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.1,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 70,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "d35979a4f83294db537bad1f5a93ab6479babcb4",
"event_fingerprint": "a5230deb945f24606b19eac551b059785eae8ad2",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "14ceea9fa263d8dc8fc78f91cead5a61",
"payload_hash": "62344aaa710d71b81bdbd52e8864eb62",
"path_pattern_hash": "065fde2a84971d9e936ccb4d03006f9c"
},
"target_context": {
"dst_port": 7002,
"service": "http",
"service_name": "http",
"risk_score": 70
},
"payload_preview": "GET \/wordpress\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Droid Build\/E",
"method": "GET",
"path": "\/wordpress\/.git\/config",
"user_agent": "Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Droid Build\/ESD20) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/530.17",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/wordpress\/.git\/config HTTP\/1.1",
"request_sample": "GET \/wordpress\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Droid Build\/ESD20) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/530.17\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCon",
"payload_snippet": "GET \/wordpress\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Droid Build\/E",
"evidence": {
"method": "GET",
"path": "\/wordpress\/.git\/config",
"user_agent": "Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Droid Build\/ESD20) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/530.17",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/wordpress\/.git\/config HTTP\/1.1",
"request_sample": "GET \/wordpress\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Droid Build\/ESD20) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/530.17\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCon",
"payload_snippet": "GET \/wordpress\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Droid Build\/E",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "3d4a456277e56aca42359f2f5bf23b8fbb2df8e2",
"protocol_details": {
"http_method": "GET",
"http_path": "\/wordpress\/.git\/config",
"request_line": "GET \/wordpress\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Droid Build\/ESD20) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Mobile\u2026",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/wordpress\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Droid Build\/E",
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wordpress\/.git\/config",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 70,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/wordpress\/.git\/config",
"request_line": "GET \/wordpress\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Droid Build\/ESD20) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Mobile\u2026",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wordpress\/.git\/config",
"evidence_snippet": "GET \/wordpress\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Droid Build\/E",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"weblogic-ssl"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:47 UTC
TCP
7002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:7002 · (tentative d'exploit) · → /shop/.git/config
Élevée
Élevé · 71
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /shop/.git/config UA Mozilla/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit/537.3…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/shop/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
7002
Chemin / cible
/shop/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 71
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /shop/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /shop/.git/config HTTP/1.1
Host: 62.3.50.33:7002
User-Agent: Mozilla/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit/537
Requête brute (extrait)
GET /shop/.git/config HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clo
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "45f25f7f3a95d24530c6e937f57dc8e4f758e10e",
"http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff",
"http_target_hash": "802d0aecf0b84c68ef00c159917e7dd44f6dfd34",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 262,
"payload_entropy": 5.431031139712954,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.3,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 71,
"tag_count": 9,
"anomaly_count": 0,
"campaign_key": "57466d28ab96404dc85a908811d70db001569c0b",
"event_fingerprint": "360fa1eb782817157d4a25d808be3c27c4176e34",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 71,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "b2824f06d2ae6f47f90bdff4fc6dc9f5",
"payload_hash": "b888449b885b626f353378112f717b2c",
"path_pattern_hash": "6603e8dbaffaf78a6758aff077d9de4a"
},
"target_context": {
"dst_port": 7002,
"service": "http",
"service_name": "http",
"risk_score": 71
},
"payload_preview": "GET \/shop\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit\/537",
"method": "GET",
"path": "\/shop\/.git\/config",
"user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/shop\/.git\/config HTTP\/1.1",
"request_sample": "GET \/shop\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo",
"payload_snippet": "GET \/shop\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit\/537",
"evidence": {
"method": "GET",
"path": "\/shop\/.git\/config",
"user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/shop\/.git\/config HTTP\/1.1",
"request_sample": "GET \/shop\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo",
"payload_snippet": "GET \/shop\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit\/537",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9d28d8701a76cb8137632d8c568b908b68e32756",
"protocol_details": {
"http_method": "GET",
"http_path": "\/shop\/.git\/config",
"request_line": "GET \/shop\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\u2026",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/shop\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit\/537",
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/shop\/.git\/config",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 71,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 71,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/shop\/.git\/config",
"request_line": "GET \/shop\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\u2026",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/shop\/.git\/config",
"evidence_snippet": "GET \/shop\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit\/537",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"weblogic-ssl"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_probe_shop",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:47 UTC
TCP
7002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:7002 · (tentative d'exploit) · → /symfony/.git/config
Élevée
Élevé · 70
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /symfony/.git/config UA Mozilla/5.0 (Linux; Android 9; SM-G973F) AppleWebKit/537.36 (KH…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/symfony/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
7002
Chemin / cible
/symfony/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 70
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /symfony/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 9; SM-G973F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /symfony/.git/config HTTP/1.1
Host: 62.3.50.33:7002
User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G973F) AppleWebKit/537.3
Requête brute (extrait)
GET /symfony/.git/config HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G973F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "58c3d77164b1f171575aca111c4de9f8b3d542b4",
"http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff",
"http_target_hash": "256775bfb3e8fd0855bebb6ef917cf83cff8a368",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 260,
"payload_entropy": 5.435643484566805,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.1,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 70,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "d35979a4f83294db537bad1f5a93ab6479babcb4",
"event_fingerprint": "4afa874af4fff734e208b4f4cce9dfd352765943",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "5b88a669c8d5f8ecd01200ab1a54488d",
"payload_hash": "ded5ae645713254306db39c5c11be05c",
"path_pattern_hash": "8b0b254049cc28b88f641713d31106e0"
},
"target_context": {
"dst_port": 7002,
"service": "http",
"service_name": "http",
"risk_score": 70
},
"payload_preview": "GET \/symfony\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973F) AppleWebKit\/537.3",
"method": "GET",
"path": "\/symfony\/.git\/config",
"user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G973F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/symfony\/.git\/config HTTP\/1.1",
"request_sample": "GET \/symfony\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close",
"payload_snippet": "GET \/symfony\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973F) AppleWebKit\/537.3",
"evidence": {
"method": "GET",
"path": "\/symfony\/.git\/config",
"user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G973F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/symfony\/.git\/config HTTP\/1.1",
"request_sample": "GET \/symfony\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close",
"payload_snippet": "GET \/symfony\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973F) AppleWebKit\/537.3",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "2c6d181c726be07fb61859dcae591b273c83ab1f",
"protocol_details": {
"http_method": "GET",
"http_path": "\/symfony\/.git\/config",
"request_line": "GET \/symfony\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G973F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.\u2026",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/symfony\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973F) AppleWebKit\/537.3",
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/symfony\/.git\/config",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 70,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/symfony\/.git\/config",
"request_line": "GET \/symfony\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G973F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.\u2026",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/symfony\/.git\/config",
"evidence_snippet": "GET \/symfony\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973F) AppleWebKit\/537.3",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"weblogic-ssl"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:47 UTC
TCP
7002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:7002 · (tentative d'exploit) · → /project/.git/config
Élevée
Élevé · 70
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /project/.git/config UA Mozilla/5.0 (Linux; Android 9; SM-G973F) AppleWebKit/537.36 (KH…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/project/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
7002
Chemin / cible
/project/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 70
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /project/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 9; SM-G973F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /project/.git/config HTTP/1.1
Host: 62.3.50.33:7002
User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G973F) AppleWebKit/537.3
Requête brute (extrait)
GET /project/.git/config HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G973F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "58c3d77164b1f171575aca111c4de9f8b3d542b4",
"http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff",
"http_target_hash": "68976db99265042d7b0c3b91df3fbefc1a56cd37",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 260,
"payload_entropy": 5.4093637745807595,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.1,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 70,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "d35979a4f83294db537bad1f5a93ab6479babcb4",
"event_fingerprint": "82f375dca28e57030d78bb359cf79e17e8cff185",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "5b88a669c8d5f8ecd01200ab1a54488d",
"payload_hash": "9bf70241842bc5df0357cf69a81b069c",
"path_pattern_hash": "40d5006de80bb36cea868dfbe43c4ff0"
},
"target_context": {
"dst_port": 7002,
"service": "http",
"service_name": "http",
"risk_score": 70
},
"payload_preview": "GET \/project\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973F) AppleWebKit\/537.3",
"method": "GET",
"path": "\/project\/.git\/config",
"user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G973F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/project\/.git\/config HTTP\/1.1",
"request_sample": "GET \/project\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close",
"payload_snippet": "GET \/project\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973F) AppleWebKit\/537.3",
"evidence": {
"method": "GET",
"path": "\/project\/.git\/config",
"user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G973F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/project\/.git\/config HTTP\/1.1",
"request_sample": "GET \/project\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close",
"payload_snippet": "GET \/project\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973F) AppleWebKit\/537.3",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f3ee80ca462071fe996832b5b139b91945cf1935",
"protocol_details": {
"http_method": "GET",
"http_path": "\/project\/.git\/config",
"request_line": "GET \/project\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G973F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.\u2026",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/project\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973F) AppleWebKit\/537.3",
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/project\/.git\/config",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 70,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/project\/.git\/config",
"request_line": "GET \/project\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G973F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.\u2026",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/project\/.git\/config",
"evidence_snippet": "GET \/project\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973F) AppleWebKit\/537.3",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"weblogic-ssl"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:47 UTC
TCP
7002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:7002 · (tentative d'exploit) · → /code/.git/config
Élevée
Élevé · 70
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /code/.git/config UA Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KH…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/code/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
7002
Chemin / cible
/code/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 70
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /code/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 OPR/62.0.3331.116
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /code/.git/config HTTP/1.1
Host: 62.3.50.33:7002
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (
Requête brute (extrait)
GET /code/.git/config HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 OPR/62.0.3331.116 Accept-Charset: utf-8 Accept-Encoding: gzip Connectio
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "c8d768376fb642bd5d45dfeaaf05d88be84f9bbc",
"http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff",
"http_target_hash": "538da175681b2052ab512cad0fb3bd57e81adff0",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 268,
"payload_entropy": 5.401160634061854,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.1,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 70,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "d35979a4f83294db537bad1f5a93ab6479babcb4",
"event_fingerprint": "d94159b09b9b68ac2b980ae59cf2eced448e71e8",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "2512e0d99e351736d3452fd09c838f47",
"payload_hash": "9ecbbe40b4a03ada463f0995ce3555be",
"path_pattern_hash": "dda1558dfc88b8ae947dda6da613b7f7"
},
"target_context": {
"dst_port": 7002,
"service": "http",
"service_name": "http",
"risk_score": 70
},
"payload_preview": "GET \/code\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (",
"method": "GET",
"path": "\/code\/.git\/config",
"user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/62.0.3331.116",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/code\/.git\/config HTTP\/1.1",
"request_sample": "GET \/code\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/62.0.3331.116\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnectio",
"payload_snippet": "GET \/code\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (",
"evidence": {
"method": "GET",
"path": "\/code\/.git\/config",
"user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/62.0.3331.116",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/code\/.git\/config HTTP\/1.1",
"request_sample": "GET \/code\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/62.0.3331.116\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnectio",
"payload_snippet": "GET \/code\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "40ab9e9b95c1fcd94166930ddc50567701ab7334",
"protocol_details": {
"http_method": "GET",
"http_path": "\/code\/.git\/config",
"request_line": "GET \/code\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/\u2026",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/code\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (",
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/code\/.git\/config",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 70,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/code\/.git\/config",
"request_line": "GET \/code\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/\u2026",
"port": 7002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/code\/.git\/config",
"evidence_snippet": "GET \/code\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (",
"target_port_label": "7002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"weblogic-ssl"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 1,
"behavior_priority": 72
}
15/06/2026 21:08:44 UTC
TCP
7002 · WEBLOGIC SSL
Sonde PostgreSQL
postgres probe · via WEBLOGIC SSL:7002 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
WEBLOGIC-SSL
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
7002
Chemin / cible
—
Service
WEBLOGIC SSL
Payload
������������+�D��o�B('�u��2�ͦ���(0��SF; �6 ��!��5?�<=[�z,��j�j�!��C'�<���&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������+�D��o�B('�u��2�ͦ���(0��SF;��6 ��!��5?�<=[�z,��j�j�!��C'�<���&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������+�D��o�B('�u��2�ͦ���(0��SF; �6 ��!��5?�<=[�z,��j�j�!��C'�<���&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �J|�Q�!K�ݯ�U*�]�w�j�-�JX��\��{
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.895267077647981,
"port_category": "registered",
"org": "Google LLC",
"service": "weblogic-ssl",
"app_proto": "weblogic-ssl",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "768be4b9afd17e03b5590f7c4d566d3e2258ec57",
"event_fingerprint": "093baabd306b0c56caa76a305bdcd4f0ffb23c03",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "weblogic-ssl",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "f5075a6a37a887e832dced50c14f75fe",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 7002,
"service": "weblogic-ssl",
"service_name": "weblogic-ssl",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd+\ufffdD\ufffd\ufffdo\ufffdB('\ufffdu\ufffd\ufffd2\ufffd\u0366\ufffd\ufffd\u001f(0\ufffd\ufffdSF;\u000b\u00176 \ufffd\ufffd!\ufffd\ufffd5?\ufffd<=[\ufffdz,\ufffd\ufffdj\ufffdj\ufffd!\ufffd\ufffdC'\ufffd<\ufffd\u0014\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd+\ufffdD\ufffd\ufffdo\ufffdB('\ufffdu\ufffd\ufffd2\ufffd\u0366\ufffd\ufffd\u001f(0\ufffd\ufffdSF;\u000b\u00176 \ufffd\ufffd!\ufffd\ufffd5?\ufffd<=[\ufffdz,\ufffd\ufffdj\ufffdj\ufffd!\ufffd\ufffdC'\ufffd<\ufffd\u0014\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdJ|\ufffdQ\ufffd!K\u0002\u076f\ufffdU*\u0002]\ufffdw\ufffdj\u0019-\u000fJX\ufffd\ufffd\\\ufffd\ufffd{",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd+\ufffdD\ufffd\ufffdo\ufffdB('\ufffdu\ufffd\ufffd2\ufffd\u0366\ufffd\ufffd\u001f(0\ufffd\ufffdSF;\u000b\u00176 \ufffd\ufffd!\ufffd\ufffd5?\ufffd<=[\ufffdz,\ufffd\ufffdj\ufffdj\ufffd!\ufffd\ufffdC'\ufffd<\ufffd\u0014\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "04a28f855fb71b552865f16824c003510fe5be81",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd+\ufffdD\ufffd\ufffdo\ufffdB('\ufffdu\ufffd\ufffd2\ufffd\u0366\ufffd\ufffd\u001f(0\ufffd\ufffdSF;\u000b\u00176 \ufffd\ufffd!\ufffd\ufffd5?\ufffd<=[\ufffdz,\ufffd\ufffdj\ufffdj\ufffd!\ufffd\ufffdC'\ufffd<\ufffd\u0014\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7002,
"service": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL"
},
"evidence_snippet": "\ufffd\ufffd\ufffd+\ufffdD\ufffd\ufffdo\ufffdB('\ufffdu\ufffd\ufffd2\ufffd\u0366\ufffd\ufffd(0\ufffd\ufffdSF;6 \ufffd\ufffd!\ufffd\ufffd5?\ufffd<=[\ufffdz,\ufffd\ufffdj\ufffdj\ufffd!\ufffd\ufffdC'\ufffd<\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)",
"target_port_label": "7002 \u00b7 WEBLOGIC SSL",
"emulator_service": "weblogic-ssl",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-weblogic-ssl",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd+\ufffdD\ufffd\ufffdo\ufffdB('\ufffdu\ufffd\ufffd2\ufffd\u0366\ufffd\ufffd\u001f(0\ufffd\ufffdSF;\u000b\u00176 \ufffd\ufffd!\ufffd\ufffd5?\ufffd<=[\ufffdz,\ufffd\ufffdj\ufffdj\ufffd!\ufffd\ufffdC'\ufffd<\ufffd\u0014\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7002,
"service": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL"
},
"attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd+\ufffdD\ufffd\ufffdo\ufffdB('\ufffdu\ufffd\ufffd2\ufffd\u0366\ufffd\ufffd(0\ufffd\ufffdSF;6 \ufffd\ufffd!\ufffd\ufffd5?\ufffd<=[\ufffdz,\ufffd\ufffdj\ufffdj\ufffd!\ufffd\ufffdC'\ufffd<\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "7002 \u00b7 WEBLOGIC SSL",
"emulator_service": "weblogic-ssl",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "weblogic_ssl",
"service_banner": "honeypot-weblogic-ssl",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:44 UTC
TCP
7002 · WEBLOGIC SSL
Sonde PostgreSQL
postgres probe · via WEBLOGIC SSL:7002 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
WEBLOGIC-SSL
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
7002
Chemin / cible
—
Service
WEBLOGIC SSL
Payload
��������������b;��f�����ؔ ��4���;�V�d��UW� ^����'�����3N���%�,�E��"�������&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������b;��f�����ؔ
��4���;�V�d��UW� ^����'�����3N���%�,�E��"�������&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
��������������b;��f�����ؔ ��4���;�V�d��UW� ^����'�����3N���%�,�E��"�������&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ��v�!@K?�c��-����WD�bOOa~$�HT+
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.753320427791197,
"port_category": "registered",
"org": "Google LLC",
"service": "weblogic-ssl",
"app_proto": "weblogic-ssl",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "768be4b9afd17e03b5590f7c4d566d3e2258ec57",
"event_fingerprint": "093baabd306b0c56caa76a305bdcd4f0ffb23c03",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "weblogic-ssl",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "257a182cc1644c71135197706628177e",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 7002,
"service": "weblogic-ssl",
"service_name": "weblogic-ssl",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0002\u0001b;\ufffd\u0001f\ufffd\ufffd\ufffd\u0019\ufffd\u0614\r\ufffd\ufffd4\ufffd\ufffd\ufffd;\ufffdV\ufffdd\ufffd\u0006UW\u001e ^\ufffd\ufffd\u001e\ufffd'\ufffd\u0080\u0002\ufffd\ufffd\ufffd3N\u001c\ufffd\ufffd%\ufffd,\ufffdE\ufffd\ufffd\"\u001a\u0001\ufffd\ufffd\u001a\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0002\u0001b;\ufffd\u0001f\ufffd\ufffd\ufffd\u0019\ufffd\u0614\r\ufffd\ufffd4\ufffd\ufffd\ufffd;\ufffdV\ufffdd\ufffd\u0006UW\u001e ^\ufffd\ufffd\u001e\ufffd'\ufffd\u0080\u0002\ufffd\ufffd\ufffd3N\u001c\ufffd\ufffd%\ufffd,\ufffdE\ufffd\ufffd\"\u001a\u0001\ufffd\ufffd\u001a\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffdv\ufffd!@K?\ufffdc\ufffd\u0002-\ufffd\ufffd\ufffd\u0012WD\ufffdbOOa~$\ufffdHT+",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0002\u0001b;\ufffd\u0001f\ufffd\ufffd\ufffd\u0019\ufffd\u0614\r\ufffd\ufffd4\ufffd\ufffd\ufffd;\ufffdV\ufffdd\ufffd\u0006UW\u001e ^\ufffd\ufffd\u001e\ufffd'\ufffd\u0080\u0002\ufffd\ufffd\ufffd3N\u001c\ufffd\ufffd%\ufffd,\ufffdE\ufffd\ufffd\"\u001a\u0001\ufffd\ufffd\u001a\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a0b6cc561706d11699b6bb38fb03ee85838bdb9f",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0002\u0001b;\ufffd\u0001f\ufffd\ufffd\ufffd\u0019\ufffd\u0614\r\ufffd\ufffd4\ufffd\ufffd\ufffd;\ufffdV\ufffdd\ufffd\u0006UW\u001e ^\ufffd\ufffd\u001e\ufffd'\ufffd\u0080\u0002\ufffd\ufffd\ufffd3N\u001c\ufffd\ufffd%\ufffd,\ufffdE\ufffd\ufffd\"\u001a\u0001\ufffd\ufffd\u001a\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7002,
"service": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL"
},
"evidence_snippet": "\ufffd\ufffd\ufffdb;\ufffdf\ufffd\ufffd\ufffd\ufffd\u0614\r\ufffd\ufffd4\ufffd\ufffd\ufffd;\ufffdV\ufffdd\ufffdUW ^\ufffd\ufffd\ufffd'\ufffd\u0080\ufffd\ufffd\ufffd3N\ufffd\ufffd%\ufffd,\ufffdE\ufffd\ufffd\"\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)",
"target_port_label": "7002 \u00b7 WEBLOGIC SSL",
"emulator_service": "weblogic-ssl",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-weblogic-ssl",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0002\u0001b;\ufffd\u0001f\ufffd\ufffd\ufffd\u0019\ufffd\u0614\r\ufffd\ufffd4\ufffd\ufffd\ufffd;\ufffdV\ufffdd\ufffd\u0006UW\u001e ^\ufffd\ufffd\u001e\ufffd'\ufffd\u0080\u0002\ufffd\ufffd\ufffd3N\u001c\ufffd\ufffd%\ufffd,\ufffdE\ufffd\ufffd\"\u001a\u0001\ufffd\ufffd\u001a\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7002,
"service": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL"
},
"attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffdb;\ufffdf\ufffd\ufffd\ufffd\ufffd\u0614\r\ufffd\ufffd4\ufffd\ufffd\ufffd;\ufffdV\ufffdd\ufffdUW ^\ufffd\ufffd\ufffd'\ufffd\u0080\ufffd\ufffd\ufffd3N\ufffd\ufffd%\ufffd,\ufffdE\ufffd\ufffd\"\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "7002 \u00b7 WEBLOGIC SSL",
"emulator_service": "weblogic-ssl",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "weblogic_ssl",
"service_banner": "honeypot-weblogic-ssl",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:44 UTC
TCP
7002 · WEBLOGIC SSL
Sonde PostgreSQL
postgres probe · via WEBLOGIC SSL:7002 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
WEBLOGIC-SSL
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
7002
Chemin / cible
—
Service
WEBLOGIC SSL
Payload
�����������"�J����R�ֹ^=]�z9���լ���T*�ʥ�� 2r�3 �a\�'R���/ݞ*��E���'����1���&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������"�J����R�ֹ^=]�z9���լ���T*�ʥ�� 2r�3 �a\�'R���/ݞ*��E���'����1���&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������"�J����R�ֹ^=]�z9���լ���T*�ʥ�� 2r�3 �a\�'R���/ݞ*��E���'����1���&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� � {� ��(Շ�8�b�oY��7X�Iy�\;���0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.828404889352466,
"port_category": "registered",
"org": "Google LLC",
"service": "weblogic-ssl",
"app_proto": "weblogic-ssl",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "768be4b9afd17e03b5590f7c4d566d3e2258ec57",
"event_fingerprint": "093baabd306b0c56caa76a305bdcd4f0ffb23c03",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "weblogic-ssl",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "165b95ecfff81be3f4f506f5352e9f02",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 7002,
"service": "weblogic-ssl",
"service_name": "weblogic-ssl",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\"\ufffdJ\u0013\ufffd\b\ufffdR\u001d\u05b9^=]\ufffdz9\ufffd\ufffd\ufffd\u056c\u0000\ufffd\ufffdT*\ufffd\u02a5\u001a\u0010 2r\ufffd3 \ufffda\\\ufffd'R\ufffd\ufffd\u001d\/\u075e*\u0015\ufffdE\ufffd\b\ufffd'\ufffd\ufffd\ufffd\ufffd1\ufffd\u0004\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\"\ufffdJ\u0013\ufffd\b\ufffdR\u001d\u05b9^=]\ufffdz9\ufffd\ufffd\ufffd\u056c\u0000\ufffd\ufffdT*\ufffd\u02a5\u001a\u0010 2r\ufffd3 \ufffda\\\ufffd'R\ufffd\ufffd\u001d\/\u075e*\u0015\ufffdE\ufffd\b\ufffd'\ufffd\ufffd\ufffd\ufffd1\ufffd\u0004\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\t{\ufffd\f\ufffd\ufffd(\u0547\ufffd8\ufffdb\u0001oY\u0017\ufffd7X\ufffdIy\ufffd\\;\ufffd\ufffd\ufffd0",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\"\ufffdJ\u0013\ufffd\b\ufffdR\u001d\u05b9^=]\ufffdz9\ufffd\ufffd\ufffd\u056c\u0000\ufffd\ufffdT*\ufffd\u02a5\u001a\u0010 2r\ufffd3 \ufffda\\\ufffd'R\ufffd\ufffd\u001d\/\u075e*\u0015\ufffdE\ufffd\b\ufffd'\ufffd\ufffd\ufffd\ufffd1\ufffd\u0004\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "1da7fb8d4a979a5e86fce2090e94e76179645473",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\"\ufffdJ\u0013\ufffd\b\ufffdR\u001d\u05b9^=]\ufffdz9\ufffd\ufffd\ufffd\u056c\u0000\ufffd\ufffdT*\ufffd\u02a5\u001a\u0010 2r\ufffd3 \ufffda\\\ufffd'R\ufffd\ufffd\u001d\/\u075e*\u0015\ufffdE\ufffd\b\ufffd'\ufffd\ufffd\ufffd\ufffd1\ufffd\u0004\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7002,
"service": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL"
},
"evidence_snippet": "\ufffd\ufffd\"\ufffdJ\ufffd\ufffdR\u05b9^=]\ufffdz9\ufffd\ufffd\ufffd\u056c\ufffd\ufffdT*\ufffd\u02a5 2r\ufffd3 \ufffda\\\ufffd'R\ufffd\ufffd\/\u075e*\ufffdE\ufffd\ufffd'\ufffd\ufffd\ufffd\ufffd1\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)",
"target_port_label": "7002 \u00b7 WEBLOGIC SSL",
"emulator_service": "weblogic-ssl",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-weblogic-ssl",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\"\ufffdJ\u0013\ufffd\b\ufffdR\u001d\u05b9^=]\ufffdz9\ufffd\ufffd\ufffd\u056c\u0000\ufffd\ufffdT*\ufffd\u02a5\u001a\u0010 2r\ufffd3 \ufffda\\\ufffd'R\ufffd\ufffd\u001d\/\u075e*\u0015\ufffdE\ufffd\b\ufffd'\ufffd\ufffd\ufffd\ufffd1\ufffd\u0004\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7002,
"service": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL"
},
"attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\"\ufffdJ\ufffd\ufffdR\u05b9^=]\ufffdz9\ufffd\ufffd\ufffd\u056c\ufffd\ufffdT*\ufffd\u02a5 2r\ufffd3 \ufffda\\\ufffd'R\ufffd\ufffd\/\u075e*\ufffdE\ufffd\ufffd'\ufffd\ufffd\ufffd\ufffd1\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "7002 \u00b7 WEBLOGIC SSL",
"emulator_service": "weblogic-ssl",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "weblogic_ssl",
"service_banner": "honeypot-weblogic-ssl",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:44 UTC
TCP
7002 · WEBLOGIC SSL
Sonde PostgreSQL
postgres probe · via WEBLOGIC SSL:7002 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
WEBLOGIC-SSL
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
7002
Chemin / cible
—
Service
WEBLOGIC SSL
Payload
�����������{C�wX�]���(�)����4��GVh��+�1m#�! �6��3����T���n@y����cJ�0k�jM�́��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������{C�wX�]���(�)����4��GVh��+�1m#�! �6��3����T���n@y����cJ�0k�jM�́��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������{C�wX�]���(�)����4��GVh��+�1m#�! �6��3����T���n@y����cJ�0k�jM�́��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �q��������A���� �� �<փN�6N��&Q
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.847724969667679,
"port_category": "registered",
"org": "Google LLC",
"service": "weblogic-ssl",
"app_proto": "weblogic-ssl",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "768be4b9afd17e03b5590f7c4d566d3e2258ec57",
"event_fingerprint": "093baabd306b0c56caa76a305bdcd4f0ffb23c03",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "weblogic-ssl",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "ab8dce45db27552bf428095f1587cce0",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 7002,
"service": "weblogic-ssl",
"service_name": "weblogic-ssl",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003{C\ufffdwX\ufffd]\ufffd\ufffd\ufffd(\ufffd)\ufffd\ufffd\u001e\ufffd4\ufffd\u0011GVh\ufffd\ufffd+\ufffd1m#\ufffd! \ufffd6\ufffd\ufffd3\ufffd\ufffd\ufffd\ufffdT\u0000\ufffd\ufffdn@y\ufffd\ufffd\ufffd\u0017cJ\ufffd0k\ufffdjM\ufffd\u0301\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003{C\ufffdwX\ufffd]\ufffd\ufffd\ufffd(\ufffd)\ufffd\ufffd\u001e\ufffd4\ufffd\u0011GVh\ufffd\ufffd+\ufffd1m#\ufffd! \ufffd6\ufffd\ufffd3\ufffd\ufffd\ufffd\ufffdT\u0000\ufffd\ufffdn@y\ufffd\ufffd\ufffd\u0017cJ\ufffd0k\ufffdjM\ufffd\u0301\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdq\ufffd\ufffd\u001a\ufffd\ufffd\u0016\ufffd\ufffdA\ufffd\u0003\u0017\ufffd\n\u0010\ufffd\f\ufffd<\u0583N\ufffd6N\ufffd\u0018&Q",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003{C\ufffdwX\ufffd]\ufffd\ufffd\ufffd(\ufffd)\ufffd\ufffd\u001e\ufffd4\ufffd\u0011GVh\ufffd\ufffd+\ufffd1m#\ufffd! \ufffd6\ufffd\ufffd3\ufffd\ufffd\ufffd\ufffdT\u0000\ufffd\ufffdn@y\ufffd\ufffd\ufffd\u0017cJ\ufffd0k\ufffdjM\ufffd\u0301\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "7caeebcd1dcf75d5bd31ae12b2f9b483d950f94a",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003{C\ufffdwX\ufffd]\ufffd\ufffd\ufffd(\ufffd)\ufffd\ufffd\u001e\ufffd4\ufffd\u0011GVh\ufffd\ufffd+\ufffd1m#\ufffd! \ufffd6\ufffd\ufffd3\ufffd\ufffd\ufffd\ufffdT\u0000\ufffd\ufffdn@y\ufffd\ufffd\ufffd\u0017cJ\ufffd0k\ufffdjM\ufffd\u0301\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7002,
"service": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL"
},
"evidence_snippet": "\ufffd\ufffd{C\ufffdwX\ufffd]\ufffd\ufffd\ufffd(\ufffd)\ufffd\ufffd\ufffd4\ufffdGVh\ufffd\ufffd+\ufffd1m#\ufffd! \ufffd6\ufffd\ufffd3\ufffd\ufffd\ufffd\ufffdT\ufffd\ufffdn@y\ufffd\ufffd\ufffdcJ\ufffd0k\ufffdjM\ufffd\u0301\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)",
"target_port_label": "7002 \u00b7 WEBLOGIC SSL",
"emulator_service": "weblogic-ssl",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-weblogic-ssl",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003{C\ufffdwX\ufffd]\ufffd\ufffd\ufffd(\ufffd)\ufffd\ufffd\u001e\ufffd4\ufffd\u0011GVh\ufffd\ufffd+\ufffd1m#\ufffd! \ufffd6\ufffd\ufffd3\ufffd\ufffd\ufffd\ufffdT\u0000\ufffd\ufffdn@y\ufffd\ufffd\ufffd\u0017cJ\ufffd0k\ufffdjM\ufffd\u0301\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7002,
"service": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL"
},
"attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd{C\ufffdwX\ufffd]\ufffd\ufffd\ufffd(\ufffd)\ufffd\ufffd\ufffd4\ufffdGVh\ufffd\ufffd+\ufffd1m#\ufffd! \ufffd6\ufffd\ufffd3\ufffd\ufffd\ufffd\ufffdT\ufffd\ufffdn@y\ufffd\ufffd\ufffdcJ\ufffd0k\ufffdjM\ufffd\u0301\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "7002 \u00b7 WEBLOGIC SSL",
"emulator_service": "weblogic-ssl",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "weblogic_ssl",
"service_banner": "honeypot-weblogic-ssl",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:44 UTC
TCP
7002 · WEBLOGIC SSL
Sonde PostgreSQL
postgres probe · via WEBLOGIC SSL:7002 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
WEBLOGIC-SSL
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
7002
Chemin / cible
—
Service
WEBLOGIC SSL
Payload
�����������FN���#���Ӓ6��Y8�*t�_�Drw����j� �)�������9��~���r����k�,��͜��9�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������FN���#���Ӓ6��Y8�*t�_�Drw����j� �)�������9��~���r����k�,��͜��9�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������FN���#���Ӓ6��Y8�*t�_�Drw����j� �)�������9��~���r����k�,��͜��9�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� 6���9��F�N��#)�k.��*�p���5���IL
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.835921665806799,
"port_category": "registered",
"org": "Google LLC",
"service": "weblogic-ssl",
"app_proto": "weblogic-ssl",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "768be4b9afd17e03b5590f7c4d566d3e2258ec57",
"event_fingerprint": "093baabd306b0c56caa76a305bdcd4f0ffb23c03",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "weblogic-ssl",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "d71650aa28e6b1d07c247dcffc7fac2f",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 7002,
"service": "weblogic-ssl",
"service_name": "weblogic-ssl",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003FN\ufffd\u0001\ufffd#\ufffd\ufffd\ufffd\u04d26\ufffd\u001bY8\ufffd*t\ufffd_\ufffdDrw\u001f\ufffd\u001f\ufffdj\ufffd \ufffd)\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u00019\ufffd\ufffd~\ufffd\ufffd\ufffdr\ufffd\ufffd\ufffd\ufffdk\ufffd,\u0019\ufffd\u035c\ufffd\ufffd9\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003FN\ufffd\u0001\ufffd#\ufffd\ufffd\ufffd\u04d26\ufffd\u001bY8\ufffd*t\ufffd_\ufffdDrw\u001f\ufffd\u001f\ufffdj\ufffd \ufffd)\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u00019\ufffd\ufffd~\ufffd\ufffd\ufffdr\ufffd\ufffd\ufffd\ufffdk\ufffd,\u0019\ufffd\u035c\ufffd\ufffd9\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 6\ufffd\u001f\ufffd9\ufffd\ufffdF\ufffdN\ufffd\ufffd#)\ufffdk.\ufffd\ufffd*\ufffdp\u0011\b\ufffd5\u0017\u0012\ufffdIL",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003FN\ufffd\u0001\ufffd#\ufffd\ufffd\ufffd\u04d26\ufffd\u001bY8\ufffd*t\ufffd_\ufffdDrw\u001f\ufffd\u001f\ufffdj\ufffd \ufffd)\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u00019\ufffd\ufffd~\ufffd\ufffd\ufffdr\ufffd\ufffd\ufffd\ufffdk\ufffd,\u0019\ufffd\u035c\ufffd\ufffd9\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d0147d15091ff4942c729cd8b4de08f06eaa0a3c",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003FN\ufffd\u0001\ufffd#\ufffd\ufffd\ufffd\u04d26\ufffd\u001bY8\ufffd*t\ufffd_\ufffdDrw\u001f\ufffd\u001f\ufffdj\ufffd \ufffd)\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u00019\ufffd\ufffd~\ufffd\ufffd\ufffdr\ufffd\ufffd\ufffd\ufffdk\ufffd,\u0019\ufffd\u035c\ufffd\ufffd9\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7002,
"service": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL"
},
"evidence_snippet": "\ufffd\ufffdFN\ufffd\ufffd#\ufffd\ufffd\ufffd\u04d26\ufffdY8\ufffd*t\ufffd_\ufffdDrw\ufffd\ufffdj\ufffd \ufffd)\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd9\ufffd\ufffd~\ufffd\ufffd\ufffdr\ufffd\ufffd\ufffd\ufffdk\ufffd,\ufffd\u035c\ufffd\ufffd9&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)",
"target_port_label": "7002 \u00b7 WEBLOGIC SSL",
"emulator_service": "weblogic-ssl",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-weblogic-ssl",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003FN\ufffd\u0001\ufffd#\ufffd\ufffd\ufffd\u04d26\ufffd\u001bY8\ufffd*t\ufffd_\ufffdDrw\u001f\ufffd\u001f\ufffdj\ufffd \ufffd)\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u00019\ufffd\ufffd~\ufffd\ufffd\ufffdr\ufffd\ufffd\ufffd\ufffdk\ufffd,\u0019\ufffd\u035c\ufffd\ufffd9\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7002,
"service": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL"
},
"attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdFN\ufffd\ufffd#\ufffd\ufffd\ufffd\u04d26\ufffdY8\ufffd*t\ufffd_\ufffdDrw\ufffd\ufffdj\ufffd \ufffd)\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd9\ufffd\ufffd~\ufffd\ufffd\ufffdr\ufffd\ufffd\ufffd\ufffdk\ufffd,\ufffd\u035c\ufffd\ufffd9&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "7002 \u00b7 WEBLOGIC SSL",
"emulator_service": "weblogic-ssl",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "weblogic_ssl",
"service_banner": "honeypot-weblogic-ssl",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:44 UTC
TCP
7002 · WEBLOGIC SSL
Sonde PostgreSQL
postgres probe · via WEBLOGIC SSL:7002 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
WEBLOGIC-SSL
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
7002
Chemin / cible
—
Service
WEBLOGIC SSL
Payload
������������������(Ԅ6,9F`8g�G�6� -������� -e������X(4����k�s~�њ�ᒱTa5e��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������������(Ԅ6,9F`8g�G�6�
-������� -e������X(4����k�s~�њ�ᒱTa5e��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������������(Ԅ6,9F`8g�G�6� -������� -e������X(4����k�s~�њ�ᒱTa5e��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ��X�J9�ZW�s#|��0�n��f_��K_,~��
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.829083118472081,
"port_category": "registered",
"org": "Google LLC",
"service": "weblogic-ssl",
"app_proto": "weblogic-ssl",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "768be4b9afd17e03b5590f7c4d566d3e2258ec57",
"event_fingerprint": "093baabd306b0c56caa76a305bdcd4f0ffb23c03",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "weblogic-ssl",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "65d32d141cb7394af6bae4bfdd00c915",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 7002,
"service": "weblogic-ssl",
"service_name": "weblogic-ssl",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd(\u05046,9F`8g\ufffdG\ufffd6\ufffd\r\n-\ufffd\ufffd\u0001\ufffd\ufffd\ufffd\ufffd -e\ufffd\ufffd\u0004\ufffd\ufffd\ufffdX(4\ufffd\b\ufffd\ufffdk\ufffds~\ufffd\u045a\ufffd\u14b1Ta5e\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd(\u05046,9F`8g\ufffdG\ufffd6\ufffd\r\n-\ufffd\ufffd\u0001\ufffd\ufffd\ufffd\ufffd -e\ufffd\ufffd\u0004\ufffd\ufffd\ufffdX(4\ufffd\b\ufffd\ufffdk\ufffds~\ufffd\u045a\ufffd\u14b1Ta5e\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffdX\ufffdJ9\ufffdZW\ufffds#|\ufffd\ufffd0\ufffdn\ufffd\ufffdf_\u0005\ufffdK_,~\ufffd\u001d",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd(\u05046,9F`8g\ufffdG\ufffd6\ufffd\r\n-\ufffd\ufffd\u0001\ufffd\ufffd\ufffd\ufffd -e\ufffd\ufffd\u0004\ufffd\ufffd\ufffdX(4\ufffd\b\ufffd\ufffdk\ufffds~\ufffd\u045a\ufffd\u14b1Ta5e\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "690015913d81bcb1736930f9841904fee5e16625",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd(\u05046,9F`8g\ufffdG\ufffd6\ufffd\r\n-\ufffd\ufffd\u0001\ufffd\ufffd\ufffd\ufffd -e\ufffd\ufffd\u0004\ufffd\ufffd\ufffdX(4\ufffd\b\ufffd\ufffdk\ufffds~\ufffd\u045a\ufffd\u14b1Ta5e\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7002,
"service": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd(\u05046,9F`8g\ufffdG\ufffd6\ufffd\r\n-\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd -e\ufffd\ufffd\ufffd\ufffd\ufffdX(4\ufffd\ufffd\ufffdk\ufffds~\ufffd\u045a\ufffd\u14b1Ta5e\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)",
"target_port_label": "7002 \u00b7 WEBLOGIC SSL",
"emulator_service": "weblogic-ssl",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-weblogic-ssl",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd(\u05046,9F`8g\ufffdG\ufffd6\ufffd\r\n-\ufffd\ufffd\u0001\ufffd\ufffd\ufffd\ufffd -e\ufffd\ufffd\u0004\ufffd\ufffd\ufffdX(4\ufffd\b\ufffd\ufffdk\ufffds~\ufffd\u045a\ufffd\u14b1Ta5e\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7002,
"service": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL"
},
"attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd(\u05046,9F`8g\ufffdG\ufffd6\ufffd\r\n-\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd -e\ufffd\ufffd\ufffd\ufffd\ufffdX(4\ufffd\ufffd\ufffdk\ufffds~\ufffd\u045a\ufffd\u14b1Ta5e\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "7002 \u00b7 WEBLOGIC SSL",
"emulator_service": "weblogic-ssl",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "weblogic_ssl",
"service_banner": "honeypot-weblogic-ssl",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:44 UTC
TCP
7002 · WEBLOGIC SSL
Sonde PostgreSQL
postgres probe · via WEBLOGIC SSL:7002 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
WEBLOGIC-SSL
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
7002
Chemin / cible
—
Service
WEBLOGIC SSL
Payload
������������1A�@�ʥ-�+�A�Jf�n�\,-��ٗ��?�� ��jb�W��U� ���H�ō��\�z���3�F����&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������1A�@�ʥ-�+�A�Jf�n�\,-��ٗ��?�� ��jb�W��U�����H�ō��\�z���3�F����&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������1A�@�ʥ-�+�A�Jf�n�\,-��ٗ��?�� ��jb�W��U� ���H�ō��\�z���3�F����&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ��{�_"N��B�� ������O����� ��x�E9
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.873429082046002,
"port_category": "registered",
"org": "Google LLC",
"service": "weblogic-ssl",
"app_proto": "weblogic-ssl",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "768be4b9afd17e03b5590f7c4d566d3e2258ec57",
"event_fingerprint": "093baabd306b0c56caa76a305bdcd4f0ffb23c03",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "weblogic-ssl",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "c15304c8a07faa80efd4ef8e9e3af7f1",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 7002,
"service": "weblogic-ssl",
"service_name": "weblogic-ssl",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd1A\ufffd@\ufffd\u02a5-\ufffd+\u0011A\ufffdJf\ufffdn\ufffd\\,-\ufffd\u0017\u0657\ufffd\ufffd?\ufffd\ufffd \ufffd\ufffdjb\ufffdW\u0012\ufffdU\ufffd\u000b\ufffd\ufffd\ufffdH\u0007\u014d\ufffd\ufffd\\\ufffdz\ufffd\ufffd\ufffd3\ufffdF\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd1A\ufffd@\ufffd\u02a5-\ufffd+\u0011A\ufffdJf\ufffdn\ufffd\\,-\ufffd\u0017\u0657\ufffd\ufffd?\ufffd\ufffd \ufffd\ufffdjb\ufffdW\u0012\ufffdU\ufffd\u000b\ufffd\ufffd\ufffdH\u0007\u014d\ufffd\ufffd\\\ufffdz\ufffd\ufffd\ufffd3\ufffdF\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd{\ufffd_\"N\u0012\u001dB\u0017\ufffd\n\u0010\ufffd\ufffd\ufffd\ufffd\u0016O\ufffd\u0012\ufffd\u0019\ufffd \u001f\ufffdx\ufffdE9",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd1A\ufffd@\ufffd\u02a5-\ufffd+\u0011A\ufffdJf\ufffdn\ufffd\\,-\ufffd\u0017\u0657\ufffd\ufffd?\ufffd\ufffd \ufffd\ufffdjb\ufffdW\u0012\ufffdU\ufffd\u000b\ufffd\ufffd\ufffdH\u0007\u014d\ufffd\ufffd\\\ufffdz\ufffd\ufffd\ufffd3\ufffdF\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b684b643bb061051e90c2227d98e8f53dda6bf12",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd1A\ufffd@\ufffd\u02a5-\ufffd+\u0011A\ufffdJf\ufffdn\ufffd\\,-\ufffd\u0017\u0657\ufffd\ufffd?\ufffd\ufffd \ufffd\ufffdjb\ufffdW\u0012\ufffdU\ufffd\u000b\ufffd\ufffd\ufffdH\u0007\u014d\ufffd\ufffd\\\ufffdz\ufffd\ufffd\ufffd3\ufffdF\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7002,
"service": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL"
},
"evidence_snippet": "\ufffd\ufffd\ufffd1A\ufffd@\ufffd\u02a5-\ufffd+A\ufffdJf\ufffdn\ufffd\\,-\ufffd\u0657\ufffd\ufffd?\ufffd\ufffd \ufffd\ufffdjb\ufffdW\ufffdU\ufffd\ufffd\ufffd\ufffdH\u014d\ufffd\ufffd\\\ufffdz\ufffd\ufffd\ufffd3\ufffdF\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)",
"target_port_label": "7002 \u00b7 WEBLOGIC SSL",
"emulator_service": "weblogic-ssl",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-weblogic-ssl",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd1A\ufffd@\ufffd\u02a5-\ufffd+\u0011A\ufffdJf\ufffdn\ufffd\\,-\ufffd\u0017\u0657\ufffd\ufffd?\ufffd\ufffd \ufffd\ufffdjb\ufffdW\u0012\ufffdU\ufffd\u000b\ufffd\ufffd\ufffdH\u0007\u014d\ufffd\ufffd\\\ufffdz\ufffd\ufffd\ufffd3\ufffdF\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7002,
"service": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL"
},
"attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd1A\ufffd@\ufffd\u02a5-\ufffd+A\ufffdJf\ufffdn\ufffd\\,-\ufffd\u0657\ufffd\ufffd?\ufffd\ufffd \ufffd\ufffdjb\ufffdW\ufffdU\ufffd\ufffd\ufffd\ufffdH\u014d\ufffd\ufffd\\\ufffdz\ufffd\ufffd\ufffd3\ufffdF\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "7002 \u00b7 WEBLOGIC SSL",
"emulator_service": "weblogic-ssl",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "weblogic_ssl",
"service_banner": "honeypot-weblogic-ssl",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:44 UTC
TCP
7002 · WEBLOGIC SSL
Sonde PostgreSQL
postgres probe · via WEBLOGIC SSL:7002 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
WEBLOGIC-SSL
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
7002
Chemin / cible
—
Service
WEBLOGIC SSL
Payload
�����������>�u`y���=�ϻl��'��;sn�U� �^z�� T��ض�|q��}�׆�T�Ys/�۷��@���Ѫ��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������>�u`y���=�ϻl��'��;sn�U� �^z�� T��ض�|q��}�׆�T�Ys/�۷��@���Ѫ��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������>�u`y���=�ϻl��'��;sn�U� �^z�� T��ض�|q��}�׆�T�Ys/�۷��@���Ѫ��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� 8F��^�|�A�>ʴ�B������w����O�2
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.889464475355462,
"port_category": "registered",
"org": "Google LLC",
"service": "weblogic-ssl",
"app_proto": "weblogic-ssl",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "768be4b9afd17e03b5590f7c4d566d3e2258ec57",
"event_fingerprint": "093baabd306b0c56caa76a305bdcd4f0ffb23c03",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "weblogic-ssl",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "84221cf1374278d7a08196791b3ca036",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 7002,
"service": "weblogic-ssl",
"service_name": "weblogic-ssl",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003>\ufffdu`y\ufffd\u074c\ufffd\u001d=\ufffd\u03fbl\ufffd\ufffd'\ufffd\ufffd;sn\ufffdU\ufffd\t\ufffd^z\ufffd\ufffd T\u001c\ufffd\u0636\ufffd|q\ufffd\ufffd}\ufffd\u05c6\ufffdT\u0005Ys\/\ufffd\u06f7\ufffd\ufffd@\ufffd\u0017\ufffd\u046a\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003>\ufffdu`y\ufffd\u074c\ufffd\u001d=\ufffd\u03fbl\ufffd\ufffd'\ufffd\ufffd;sn\ufffdU\ufffd\t\ufffd^z\ufffd\ufffd T\u001c\ufffd\u0636\ufffd|q\ufffd\ufffd}\ufffd\u05c6\ufffdT\u0005Ys\/\ufffd\u06f7\ufffd\ufffd@\ufffd\u0017\ufffd\u046a\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 8F\ufffd\ufffd^\ufffd|\ufffdA\ufffd>\u02b4\ufffdB\ufffd\ufffd\ufffd\u0010\ufffd\ufffdw\u0017\ufffd\ufffd\ufffdO\ufffd2",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003>\ufffdu`y\ufffd\u074c\ufffd\u001d=\ufffd\u03fbl\ufffd\ufffd'\ufffd\ufffd;sn\ufffdU\ufffd\t\ufffd^z\ufffd\ufffd T\u001c\ufffd\u0636\ufffd|q\ufffd\ufffd}\ufffd\u05c6\ufffdT\u0005Ys\/\ufffd\u06f7\ufffd\ufffd@\ufffd\u0017\ufffd\u046a\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f8c1eb9dd5bb618c80cf773870db732fff61a537",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003>\ufffdu`y\ufffd\u074c\ufffd\u001d=\ufffd\u03fbl\ufffd\ufffd'\ufffd\ufffd;sn\ufffdU\ufffd\t\ufffd^z\ufffd\ufffd T\u001c\ufffd\u0636\ufffd|q\ufffd\ufffd}\ufffd\u05c6\ufffdT\u0005Ys\/\ufffd\u06f7\ufffd\ufffd@\ufffd\u0017\ufffd\u046a\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7002,
"service": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL"
},
"evidence_snippet": "\ufffd\ufffd>\ufffdu`y\ufffd\u074c\ufffd=\ufffd\u03fbl\ufffd\ufffd'\ufffd\ufffd;sn\ufffdU\ufffd\t\ufffd^z\ufffd\ufffd T\ufffd\u0636\ufffd|q\ufffd\ufffd}\ufffd\u05c6\ufffdTYs\/\ufffd\u06f7\ufffd\ufffd@\ufffd\ufffd\u046a\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)",
"target_port_label": "7002 \u00b7 WEBLOGIC SSL",
"emulator_service": "weblogic-ssl",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-weblogic-ssl",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003>\ufffdu`y\ufffd\u074c\ufffd\u001d=\ufffd\u03fbl\ufffd\ufffd'\ufffd\ufffd;sn\ufffdU\ufffd\t\ufffd^z\ufffd\ufffd T\u001c\ufffd\u0636\ufffd|q\ufffd\ufffd}\ufffd\u05c6\ufffdT\u0005Ys\/\ufffd\u06f7\ufffd\ufffd@\ufffd\u0017\ufffd\u046a\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7002,
"service": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL"
},
"attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd>\ufffdu`y\ufffd\u074c\ufffd=\ufffd\u03fbl\ufffd\ufffd'\ufffd\ufffd;sn\ufffdU\ufffd\t\ufffd^z\ufffd\ufffd T\ufffd\u0636\ufffd|q\ufffd\ufffd}\ufffd\u05c6\ufffdTYs\/\ufffd\u06f7\ufffd\ufffd@\ufffd\ufffd\u046a\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "7002 \u00b7 WEBLOGIC SSL",
"emulator_service": "weblogic-ssl",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "weblogic_ssl",
"service_banner": "honeypot-weblogic-ssl",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:44 UTC
TCP
7002 · WEBLOGIC SSL
Sonde PostgreSQL
postgres probe · via WEBLOGIC SSL:7002 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
WEBLOGIC-SSL
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
7002
Chemin / cible
—
Service
WEBLOGIC SSL
Payload
������������� ް��>�6��L�0}���������,b:� �MlU���WE�$�h��Fp�g��v�����dz����&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������� ް��>�6��L�0}���������,b:� �MlU���WE�$�h��Fp�g��v�����dz����&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������� ް��>�6��L�0}���������,b:� �MlU���WE�$�h��Fp�g��v�����dz����&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ����Q>��E�p�5�)�D�X��oJu���Z����
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.847333909450006,
"port_category": "registered",
"org": "Google LLC",
"service": "weblogic-ssl",
"app_proto": "weblogic-ssl",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "768be4b9afd17e03b5590f7c4d566d3e2258ec57",
"event_fingerprint": "093baabd306b0c56caa76a305bdcd4f0ffb23c03",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "weblogic-ssl",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "4e2dd71f85c6dfe338ef9e0b6a5c757b",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 7002,
"service": "weblogic-ssl",
"service_name": "weblogic-ssl",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\t\u07b0\ufffd\ufffd>\u00036\ufffd\ufffdL\ufffd0}\ufffd\ufffd\ufffd\u0013\u001b\u001f\ufffd\ufffd\ufffd,b:\ufffd \ufffdMlU\ufffd\ufffd\ufffdWE\ufffd$\ufffdh\ufffd\ufffdFp\u001eg\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffd\u001c\u01f3\u0004\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\t\u07b0\ufffd\ufffd>\u00036\ufffd\ufffdL\ufffd0}\ufffd\ufffd\ufffd\u0013\u001b\u001f\ufffd\ufffd\ufffd,b:\ufffd \ufffdMlU\ufffd\ufffd\ufffdWE\ufffd$\ufffdh\ufffd\ufffdFp\u001eg\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffd\u001c\u01f3\u0004\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\u001b\ufffdQ>\ufffd\ufffdE\ufffdp\u00125\ufffd)\ufffdD\ufffdX\ufffd\ufffdoJu\ufffd\u0010\u0002Z\u0013\u0014\ufffd\u0019",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\t\u07b0\ufffd\ufffd>\u00036\ufffd\ufffdL\ufffd0}\ufffd\ufffd\ufffd\u0013\u001b\u001f\ufffd\ufffd\ufffd,b:\ufffd \ufffdMlU\ufffd\ufffd\ufffdWE\ufffd$\ufffdh\ufffd\ufffdFp\u001eg\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffd\u001c\u01f3\u0004\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "1217f44a4fe1cd53e8c8734071ce3bf64fe6b4ce",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\t\u07b0\ufffd\ufffd>\u00036\ufffd\ufffdL\ufffd0}\ufffd\ufffd\ufffd\u0013\u001b\u001f\ufffd\ufffd\ufffd,b:\ufffd \ufffdMlU\ufffd\ufffd\ufffdWE\ufffd$\ufffdh\ufffd\ufffdFp\u001eg\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffd\u001c\u01f3\u0004\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7002,
"service": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\t\u07b0\ufffd\ufffd>6\ufffd\ufffdL\ufffd0}\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd,b:\ufffd \ufffdMlU\ufffd\ufffd\ufffdWE\ufffd$\ufffdh\ufffd\ufffdFpg\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffd\u01f3\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)",
"target_port_label": "7002 \u00b7 WEBLOGIC SSL",
"emulator_service": "weblogic-ssl",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-weblogic-ssl",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\t\u07b0\ufffd\ufffd>\u00036\ufffd\ufffdL\ufffd0}\ufffd\ufffd\ufffd\u0013\u001b\u001f\ufffd\ufffd\ufffd,b:\ufffd \ufffdMlU\ufffd\ufffd\ufffdWE\ufffd$\ufffdh\ufffd\ufffdFp\u001eg\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffd\u001c\u01f3\u0004\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7002,
"service": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL"
},
"attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\t\u07b0\ufffd\ufffd>6\ufffd\ufffdL\ufffd0}\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd,b:\ufffd \ufffdMlU\ufffd\ufffd\ufffdWE\ufffd$\ufffdh\ufffd\ufffdFpg\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffd\u01f3\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "7002 \u00b7 WEBLOGIC SSL",
"emulator_service": "weblogic-ssl",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "weblogic_ssl",
"service_banner": "honeypot-weblogic-ssl",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:44 UTC
TCP
7002 · WEBLOGIC SSL
Sonde PostgreSQL
postgres probe · via WEBLOGIC SSL:7002 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
WEBLOGIC-SSL
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
7002
Chemin / cible
—
Service
WEBLOGIC SSL
Payload
�����������I�:.G������ ��H֎�j�����8k«��L9 �>V�}��M�`�"�i���ʭ��,5���:Sv���&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������I�:.G������ ��H֎�j�����8k«��L9 �>V�}��M�`�"�i���ʭ��,5���:Sv���&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������I�:.G������ ��H֎�j�����8k«��L9 �>V�}��M�`�"�i���ʭ��,5���:Sv���&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �S���{*J���0j��^�נa��'<�]!(S3�F
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.909963626941362,
"port_category": "registered",
"org": "Google LLC",
"service": "weblogic-ssl",
"app_proto": "weblogic-ssl",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "768be4b9afd17e03b5590f7c4d566d3e2258ec57",
"event_fingerprint": "093baabd306b0c56caa76a305bdcd4f0ffb23c03",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "weblogic-ssl",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "5fbc178af494d9fa50d68828c1d30e44",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 7002,
"service": "weblogic-ssl",
"service_name": "weblogic-ssl",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003I\ufffd:.G\ufffd\ufffd\ufffd\ufffd\u0018\ufffd\t\ufffd\ufffdH\u058e\ufffdj\ufffd\ufffd\ufffd\ufffd\ufffd8k\u00ab\u0019\u0000L9 \ufffd>V\ufffd}\ufffd\ufffdM\ufffd`\ufffd\"\ufffdi\ufffd\ufffd\ufffd\u02ad\ufffd\u0012,5\ufffd\ufffd\ufffd:Sv\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003I\ufffd:.G\ufffd\ufffd\ufffd\ufffd\u0018\ufffd\t\ufffd\ufffdH\u058e\ufffdj\ufffd\ufffd\ufffd\ufffd\ufffd8k\u00ab\u0019\u0000L9 \ufffd>V\ufffd}\ufffd\ufffdM\ufffd`\ufffd\"\ufffdi\ufffd\ufffd\ufffd\u02ad\ufffd\u0012,5\ufffd\ufffd\ufffd:Sv\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdS\ufffd\ufffd\u0012{*J\ufffd\ufffd\ufffd0j\ufffd\ufffd^\u0004\u05e0a\u001a\ufffd'<\ufffd]!(S3\ufffdF",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003I\ufffd:.G\ufffd\ufffd\ufffd\ufffd\u0018\ufffd\t\ufffd\ufffdH\u058e\ufffdj\ufffd\ufffd\ufffd\ufffd\ufffd8k\u00ab\u0019\u0000L9 \ufffd>V\ufffd}\ufffd\ufffdM\ufffd`\ufffd\"\ufffdi\ufffd\ufffd\ufffd\u02ad\ufffd\u0012,5\ufffd\ufffd\ufffd:Sv\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "49faae1723a1a2887cbb2a0f5f59b3a333588f0d",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003I\ufffd:.G\ufffd\ufffd\ufffd\ufffd\u0018\ufffd\t\ufffd\ufffdH\u058e\ufffdj\ufffd\ufffd\ufffd\ufffd\ufffd8k\u00ab\u0019\u0000L9 \ufffd>V\ufffd}\ufffd\ufffdM\ufffd`\ufffd\"\ufffdi\ufffd\ufffd\ufffd\u02ad\ufffd\u0012,5\ufffd\ufffd\ufffd:Sv\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7002,
"service": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL"
},
"evidence_snippet": "\ufffd\ufffdI\ufffd:.G\ufffd\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffdH\u058e\ufffdj\ufffd\ufffd\ufffd\ufffd\ufffd8k\u00abL9 \ufffd>V\ufffd}\ufffd\ufffdM\ufffd`\ufffd\"\ufffdi\ufffd\ufffd\ufffd\u02ad\ufffd,5\ufffd\ufffd\ufffd:Sv\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)",
"target_port_label": "7002 \u00b7 WEBLOGIC SSL",
"emulator_service": "weblogic-ssl",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-weblogic-ssl",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003I\ufffd:.G\ufffd\ufffd\ufffd\ufffd\u0018\ufffd\t\ufffd\ufffdH\u058e\ufffdj\ufffd\ufffd\ufffd\ufffd\ufffd8k\u00ab\u0019\u0000L9 \ufffd>V\ufffd}\ufffd\ufffdM\ufffd`\ufffd\"\ufffdi\ufffd\ufffd\ufffd\u02ad\ufffd\u0012,5\ufffd\ufffd\ufffd:Sv\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7002,
"service": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL"
},
"attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdI\ufffd:.G\ufffd\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffdH\u058e\ufffdj\ufffd\ufffd\ufffd\ufffd\ufffd8k\u00abL9 \ufffd>V\ufffd}\ufffd\ufffdM\ufffd`\ufffd\"\ufffdi\ufffd\ufffd\ufffd\u02ad\ufffd,5\ufffd\ufffd\ufffd:Sv\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "7002 \u00b7 WEBLOGIC SSL",
"emulator_service": "weblogic-ssl",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "weblogic_ssl",
"service_banner": "honeypot-weblogic-ssl",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:44 UTC
TCP
7002 · WEBLOGIC SSL
Sonde PostgreSQL
postgres probe · via WEBLOGIC SSL:7002 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
WEBLOGIC-SSL
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
7002
Chemin / cible
—
Service
WEBLOGIC SSL
Payload
���������������00ɺф�ض�_�x����o������KKm 7�������'���)����j�����w����B�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
���������������00ɺф�ض�_�x����o������KKm 7�������'���)����j�����w����B�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
���������������00ɺф�ض�_�x����o������KKm 7�������'���)����j�����w����B�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �μJt���xn7��E�����U�ZE���7 �4
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.764653769396592,
"port_category": "registered",
"org": "Google LLC",
"service": "weblogic-ssl",
"app_proto": "weblogic-ssl",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "768be4b9afd17e03b5590f7c4d566d3e2258ec57",
"event_fingerprint": "093baabd306b0c56caa76a305bdcd4f0ffb23c03",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "weblogic-ssl",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "4bcb7fa44d6e7903902e7f4d61618d7d",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 7002,
"service": "weblogic-ssl",
"service_name": "weblogic-ssl",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0007\u001900\u027a\u0444\u0018\u0636\ufffd_\ufffdx\ufffd\ufffd\ufffd\u0003o\ufffd\u0002\ufffd\ufffd\ufffd\u0000KKm 7\ufffd\u001e\ufffd\ufffd\ufffd\u001e\ufffd'\ufffd\ufffd\u0011)\ufffd\ufffd\ufffd\ufffdj\ufffd\ufffd\u0007\ufffd\ufffdw\ufffd\ufffd\ufffd\ufffdB\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0007\u001900\u027a\u0444\u0018\u0636\ufffd_\ufffdx\ufffd\ufffd\ufffd\u0003o\ufffd\u0002\ufffd\ufffd\ufffd\u0000KKm 7\ufffd\u001e\ufffd\ufffd\ufffd\u001e\ufffd'\ufffd\ufffd\u0011)\ufffd\ufffd\ufffd\ufffdj\ufffd\ufffd\u0007\ufffd\ufffdw\ufffd\ufffd\ufffd\ufffdB\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u03bcJt\ufffd\ufffd\ufffdxn7\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffdU\ufffdZE\ufffd\ufffd\ufffd7\t\ufffd4 ",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0007\u001900\u027a\u0444\u0018\u0636\ufffd_\ufffdx\ufffd\ufffd\ufffd\u0003o\ufffd\u0002\ufffd\ufffd\ufffd\u0000KKm 7\ufffd\u001e\ufffd\ufffd\ufffd\u001e\ufffd'\ufffd\ufffd\u0011)\ufffd\ufffd\ufffd\ufffdj\ufffd\ufffd\u0007\ufffd\ufffdw\ufffd\ufffd\ufffd\ufffdB\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "bef348b3c4c37870a02e17f5b9ac56345f369054",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0007\u001900\u027a\u0444\u0018\u0636\ufffd_\ufffdx\ufffd\ufffd\ufffd\u0003o\ufffd\u0002\ufffd\ufffd\ufffd\u0000KKm 7\ufffd\u001e\ufffd\ufffd\ufffd\u001e\ufffd'\ufffd\ufffd\u0011)\ufffd\ufffd\ufffd\ufffdj\ufffd\ufffd\u0007\ufffd\ufffdw\ufffd\ufffd\ufffd\ufffdB\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7002,
"service": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd00\u027a\u0444\u0636\ufffd_\ufffdx\ufffd\ufffd\ufffdo\ufffd\ufffd\ufffd\ufffdKKm 7\ufffd\ufffd\ufffd\ufffd\ufffd'\ufffd\ufffd)\ufffd\ufffd\ufffd\ufffdj\ufffd\ufffd\ufffd\ufffdw\ufffd\ufffd\ufffd\ufffdB&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)",
"target_port_label": "7002 \u00b7 WEBLOGIC SSL",
"emulator_service": "weblogic-ssl",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-weblogic-ssl",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0007\u001900\u027a\u0444\u0018\u0636\ufffd_\ufffdx\ufffd\ufffd\ufffd\u0003o\ufffd\u0002\ufffd\ufffd\ufffd\u0000KKm 7\ufffd\u001e\ufffd\ufffd\ufffd\u001e\ufffd'\ufffd\ufffd\u0011)\ufffd\ufffd\ufffd\ufffdj\ufffd\ufffd\u0007\ufffd\ufffdw\ufffd\ufffd\ufffd\ufffdB\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7002,
"service": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL"
},
"attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd00\u027a\u0444\u0636\ufffd_\ufffdx\ufffd\ufffd\ufffdo\ufffd\ufffd\ufffd\ufffdKKm 7\ufffd\ufffd\ufffd\ufffd\ufffd'\ufffd\ufffd)\ufffd\ufffd\ufffd\ufffdj\ufffd\ufffd\ufffd\ufffdw\ufffd\ufffd\ufffd\ufffdB&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "7002 \u00b7 WEBLOGIC SSL",
"emulator_service": "weblogic-ssl",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "weblogic_ssl",
"service_banner": "honeypot-weblogic-ssl",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:44 UTC
TCP
7002 · WEBLOGIC SSL
Sonde PostgreSQL
postgres probe · via WEBLOGIC SSL:7002 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
WEBLOGIC-SSL
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
7002
Chemin / cible
—
Service
WEBLOGIC SSL
Payload
�����������S��Q����]� ���#��s1V��r��L@r]��f ���f?�\�KJ���������æ����Ky���&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������S��Q����]� ���#��s1V��r��L@r]��f ���f?�\�KJ���������æ����Ky���&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������S��Q����]� ���#��s1V��r��L@r]��f ���f?�\�KJ���������æ����Ky���&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ���EA��P�w�ɟ��̽�E �(�b��kٻ>�'
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.897039498891274,
"port_category": "registered",
"org": "Google LLC",
"service": "weblogic-ssl",
"app_proto": "weblogic-ssl",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "768be4b9afd17e03b5590f7c4d566d3e2258ec57",
"event_fingerprint": "093baabd306b0c56caa76a305bdcd4f0ffb23c03",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "weblogic-ssl",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "6ffbe5ca8c39701f40b9a9fa5d44b2a2",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 7002,
"service": "weblogic-ssl",
"service_name": "weblogic-ssl",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003S\ufffd\ufffdQ\ufffd\u001e\ufffd\ufffd]\u001a\t\ufffd\ufffd\ufffd#\ufffd\ufffds1V\ufffd\ufffdr\ufffd\u0006L@r]\u0010\ufffdf \ufffd\ufffd\ufffdf?\ufffd\\\ufffdKJ\ufffd\ufffd\u0001\u000e\ufffd\u0019\ufffd\ufffd\ufffd\u00e6\ufffd\ufffd\ufffd\ufffdKy\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003S\ufffd\ufffdQ\ufffd\u001e\ufffd\ufffd]\u001a\t\ufffd\ufffd\ufffd#\ufffd\ufffds1V\ufffd\ufffdr\ufffd\u0006L@r]\u0010\ufffdf \ufffd\ufffd\ufffdf?\ufffd\\\ufffdKJ\ufffd\ufffd\u0001\u000e\ufffd\u0019\ufffd\ufffd\ufffd\u00e6\ufffd\ufffd\ufffd\ufffdKy\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u0012\ufffdEA\ufffd\ufffdP\ufffdw\ufffd\u025f\ufffd\u001e\u033d\ufffdE\u000b\ufffd(\ufffdb\ufffd\ufffdk\u067b>\ufffd'",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003S\ufffd\ufffdQ\ufffd\u001e\ufffd\ufffd]\u001a\t\ufffd\ufffd\ufffd#\ufffd\ufffds1V\ufffd\ufffdr\ufffd\u0006L@r]\u0010\ufffdf \ufffd\ufffd\ufffdf?\ufffd\\\ufffdKJ\ufffd\ufffd\u0001\u000e\ufffd\u0019\ufffd\ufffd\ufffd\u00e6\ufffd\ufffd\ufffd\ufffdKy\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d4765cfe830eb6a789d10a4c099d667a49b37701",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003S\ufffd\ufffdQ\ufffd\u001e\ufffd\ufffd]\u001a\t\ufffd\ufffd\ufffd#\ufffd\ufffds1V\ufffd\ufffdr\ufffd\u0006L@r]\u0010\ufffdf \ufffd\ufffd\ufffdf?\ufffd\\\ufffdKJ\ufffd\ufffd\u0001\u000e\ufffd\u0019\ufffd\ufffd\ufffd\u00e6\ufffd\ufffd\ufffd\ufffdKy\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7002,
"service": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL"
},
"evidence_snippet": "\ufffd\ufffdS\ufffd\ufffdQ\ufffd\ufffd\ufffd]\t\ufffd\ufffd\ufffd#\ufffd\ufffds1V\ufffd\ufffdr\ufffdL@r]\ufffdf \ufffd\ufffd\ufffdf?\ufffd\\\ufffdKJ\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u00e6\ufffd\ufffd\ufffd\ufffdKy\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)",
"target_port_label": "7002 \u00b7 WEBLOGIC SSL",
"emulator_service": "weblogic-ssl",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-weblogic-ssl",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003S\ufffd\ufffdQ\ufffd\u001e\ufffd\ufffd]\u001a\t\ufffd\ufffd\ufffd#\ufffd\ufffds1V\ufffd\ufffdr\ufffd\u0006L@r]\u0010\ufffdf \ufffd\ufffd\ufffdf?\ufffd\\\ufffdKJ\ufffd\ufffd\u0001\u000e\ufffd\u0019\ufffd\ufffd\ufffd\u00e6\ufffd\ufffd\ufffd\ufffdKy\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7002,
"service": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL"
},
"attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdS\ufffd\ufffdQ\ufffd\ufffd\ufffd]\t\ufffd\ufffd\ufffd#\ufffd\ufffds1V\ufffd\ufffdr\ufffdL@r]\ufffdf \ufffd\ufffd\ufffdf?\ufffd\\\ufffdKJ\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u00e6\ufffd\ufffd\ufffd\ufffdKy\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "7002 \u00b7 WEBLOGIC SSL",
"emulator_service": "weblogic-ssl",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "weblogic_ssl",
"service_banner": "honeypot-weblogic-ssl",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:44 UTC
TCP
7002 · WEBLOGIC SSL
Sonde PostgreSQL
postgres probe · via WEBLOGIC SSL:7002 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
WEBLOGIC-SSL
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
7002
Chemin / cible
—
Service
WEBLOGIC SSL
Payload
�����������������QY�R���v�����f��d>Ғ�C���j ����b�Z������G(�j�����X!w��d��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������������QY�R���v�����f��d>Ғ�C���j ����b�Z������G(�j�����X!w��d��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������������QY�R���v�����f��d>Ғ�C���j ����b�Z������G(�j�����X!w��d��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ����3�Y^�k>��N��^�E`/��d1(v���a
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.851053676478614,
"port_category": "registered",
"org": "Google LLC",
"service": "weblogic-ssl",
"app_proto": "weblogic-ssl",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "768be4b9afd17e03b5590f7c4d566d3e2258ec57",
"event_fingerprint": "093baabd306b0c56caa76a305bdcd4f0ffb23c03",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "weblogic-ssl",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "fe32cfc4e7133a48239ca35776d1a7f6",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 7002,
"service": "weblogic-ssl",
"service_name": "weblogic-ssl",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQY\ufffdR\ufffd\u001c\ufffdv\ufffd\ufffd\ufffd\u001e\u0006f\ufffd\ufffdd>\u0492\ufffdC\ufffd\ufffd\ufffdj \ufffd\ufffd\ufffd\ufffdb\ufffdZ\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdG(\ufffdj\ufffd\u0011\u001c\ufffd\ufffdX!w\ufffd\ufffdd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQY\ufffdR\ufffd\u001c\ufffdv\ufffd\ufffd\ufffd\u001e\u0006f\ufffd\ufffdd>\u0492\ufffdC\ufffd\ufffd\ufffdj \ufffd\ufffd\ufffd\ufffdb\ufffdZ\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdG(\ufffdj\ufffd\u0011\u001c\ufffd\ufffdX!w\ufffd\ufffdd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u0016\ufffd\ufffd3\ufffdY^\u0005k>\ufffd\ufffdN\ufffd\ufffd^\ufffdE`\/\ufffd\ufffdd1(v\u001a\ufffd\ufffda",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQY\ufffdR\ufffd\u001c\ufffdv\ufffd\ufffd\ufffd\u001e\u0006f\ufffd\ufffdd>\u0492\ufffdC\ufffd\ufffd\ufffdj \ufffd\ufffd\ufffd\ufffdb\ufffdZ\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdG(\ufffdj\ufffd\u0011\u001c\ufffd\ufffdX!w\ufffd\ufffdd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "dfcc1f679e7a5aca5a81a2a354cd6c764f06d60d",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQY\ufffdR\ufffd\u001c\ufffdv\ufffd\ufffd\ufffd\u001e\u0006f\ufffd\ufffdd>\u0492\ufffdC\ufffd\ufffd\ufffdj \ufffd\ufffd\ufffd\ufffdb\ufffdZ\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdG(\ufffdj\ufffd\u0011\u001c\ufffd\ufffdX!w\ufffd\ufffdd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7002,
"service": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQY\ufffdR\ufffd\ufffdv\ufffd\ufffd\ufffdf\ufffd\ufffdd>\u0492\ufffdC\ufffd\ufffd\ufffdj \ufffd\ufffd\ufffd\ufffdb\ufffdZ\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdG(\ufffdj\ufffd\ufffd\ufffdX!w\ufffd\ufffdd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)",
"target_port_label": "7002 \u00b7 WEBLOGIC SSL",
"emulator_service": "weblogic-ssl",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-weblogic-ssl",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQY\ufffdR\ufffd\u001c\ufffdv\ufffd\ufffd\ufffd\u001e\u0006f\ufffd\ufffdd>\u0492\ufffdC\ufffd\ufffd\ufffdj \ufffd\ufffd\ufffd\ufffdb\ufffdZ\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdG(\ufffdj\ufffd\u0011\u001c\ufffd\ufffdX!w\ufffd\ufffdd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7002,
"service": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL"
},
"attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQY\ufffdR\ufffd\ufffdv\ufffd\ufffd\ufffdf\ufffd\ufffdd>\u0492\ufffdC\ufffd\ufffd\ufffdj \ufffd\ufffd\ufffd\ufffdb\ufffdZ\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdG(\ufffdj\ufffd\ufffd\ufffdX!w\ufffd\ufffdd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "7002 \u00b7 WEBLOGIC SSL",
"emulator_service": "weblogic-ssl",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "weblogic_ssl",
"service_banner": "honeypot-weblogic-ssl",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:44 UTC
TCP
7002 · WEBLOGIC SSL
Sonde PostgreSQL
postgres probe · via WEBLOGIC SSL:7002 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
WEBLOGIC-SSL
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
7002
Chemin / cible
—
Service
WEBLOGIC SSL
Payload
�������������j�ìI1���RlYR��N�t>8ⵟ �@�J� U��~��\�e$�!�/)���p��+���=yLŖ���&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������j�ìI1���RlYR��N�t>8ⵟ��@�J� U��~��\�e$�!�/)���p��+���=yLŖ���&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�������������j�ìI1���RlYR��N�t>8ⵟ �@�J� U��~��\�e$�!�/)���p��+���=yLŖ���&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� _������cmC�G>�������`�N��� ��g
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.9103320907005354,
"port_category": "registered",
"org": "Google LLC",
"service": "weblogic-ssl",
"app_proto": "weblogic-ssl",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "768be4b9afd17e03b5590f7c4d566d3e2258ec57",
"event_fingerprint": "093baabd306b0c56caa76a305bdcd4f0ffb23c03",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "weblogic-ssl",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "910254e78559f728b2337f4c2ec07508",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 7002,
"service": "weblogic-ssl",
"service_name": "weblogic-ssl",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdj\ufffd\u00ecI1\ufffd\ufffd\ufffdRlYR\ufffd\ufffdN\ufffdt>8\u2d5f\u000b\ufffd@\u0018J\ufffd U\ufffd\ufffd~\u001e\ufffd\\\ufffde$\ufffd!\ufffd\/)\ufffd\ufffd\u0018p\ufffd\ufffd+\u0018\ufffd\ufffd=yL\u0156\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdj\ufffd\u00ecI1\ufffd\ufffd\ufffdRlYR\ufffd\ufffdN\ufffdt>8\u2d5f\u000b\ufffd@\u0018J\ufffd U\ufffd\ufffd~\u001e\ufffd\\\ufffde$\ufffd!\ufffd\/)\ufffd\ufffd\u0018p\ufffd\ufffd+\u0018\ufffd\ufffd=yL\u0156\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 _\ufffd\u001f\ufffd\u001e\u0013\ufffdcmC\ufffdG>\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0011`\ufffdN\ufffd\ufffd\ufffd\r\ufffd\ufffdg",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdj\ufffd\u00ecI1\ufffd\ufffd\ufffdRlYR\ufffd\ufffdN\ufffdt>8\u2d5f\u000b\ufffd@\u0018J\ufffd U\ufffd\ufffd~\u001e\ufffd\\\ufffde$\ufffd!\ufffd\/)\ufffd\ufffd\u0018p\ufffd\ufffd+\u0018\ufffd\ufffd=yL\u0156\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6427668f116bd371c1775f21a9169d101cd6bc9f",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdj\ufffd\u00ecI1\ufffd\ufffd\ufffdRlYR\ufffd\ufffdN\ufffdt>8\u2d5f\u000b\ufffd@\u0018J\ufffd U\ufffd\ufffd~\u001e\ufffd\\\ufffde$\ufffd!\ufffd\/)\ufffd\ufffd\u0018p\ufffd\ufffd+\u0018\ufffd\ufffd=yL\u0156\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7002,
"service": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffdj\ufffd\u00ecI1\ufffd\ufffd\ufffdRlYR\ufffd\ufffdN\ufffdt>8\u2d5f\ufffd@J\ufffd U\ufffd\ufffd~\ufffd\\\ufffde$\ufffd!\ufffd\/)\ufffd\ufffdp\ufffd\ufffd+\ufffd\ufffd=yL\u0156\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)",
"target_port_label": "7002 \u00b7 WEBLOGIC SSL",
"emulator_service": "weblogic-ssl",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-weblogic-ssl",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdj\ufffd\u00ecI1\ufffd\ufffd\ufffdRlYR\ufffd\ufffdN\ufffdt>8\u2d5f\u000b\ufffd@\u0018J\ufffd U\ufffd\ufffd~\u001e\ufffd\\\ufffde$\ufffd!\ufffd\/)\ufffd\ufffd\u0018p\ufffd\ufffd+\u0018\ufffd\ufffd=yL\u0156\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7002,
"service": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL"
},
"attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffdj\ufffd\u00ecI1\ufffd\ufffd\ufffdRlYR\ufffd\ufffdN\ufffdt>8\u2d5f\ufffd@J\ufffd U\ufffd\ufffd~\ufffd\\\ufffde$\ufffd!\ufffd\/)\ufffd\ufffdp\ufffd\ufffd+\ufffd\ufffd=yL\u0156\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "7002 \u00b7 WEBLOGIC SSL",
"emulator_service": "weblogic-ssl",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "weblogic_ssl",
"service_banner": "honeypot-weblogic-ssl",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:44 UTC
TCP
7002 · WEBLOGIC SSL
Sonde PostgreSQL
postgres probe · via WEBLOGIC SSL:7002 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
WEBLOGIC-SSL
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
7002
Chemin / cible
—
Service
WEBLOGIC SSL
Payload
�����������!��"����Jw�VQ��6�Zd�r �(��8�R� c����\j9j�+��rc.x��5~�����.'"���&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������!��"����Jw�VQ��6�Zd�r �(��8�R� c����\j9j�+��rc.x��5~�����.'"���&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������!��"����Jw�VQ��6�Zd�r �(��8�R� c����\j9j�+��rc.x��5~�����.'"���&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ��>�v_]�o�PRd����do���7P���#�
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.841681905961842,
"port_category": "registered",
"org": "Google LLC",
"service": "weblogic-ssl",
"app_proto": "weblogic-ssl",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "768be4b9afd17e03b5590f7c4d566d3e2258ec57",
"event_fingerprint": "093baabd306b0c56caa76a305bdcd4f0ffb23c03",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "weblogic-ssl",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "ebee75157055d2623ab845218a83c181",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 7002,
"service": "weblogic-ssl",
"service_name": "weblogic-ssl",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003!\ufffd\ufffd\"\u0019\ufffd\u001a\ufffdJw\ufffdVQ\u0013\ufffd6\u001bZd\ufffdr\t\ufffd(\ufffd\ufffd8\bR\ufffd c\ufffd\ufffd\u0001\ufffd\\j9j\ufffd+\ufffd\ufffdrc.x\ufffd\u001a5~\ufffd\ufffd\ufffd\ufffd\ufffd.'\"\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003!\ufffd\ufffd\"\u0019\ufffd\u001a\ufffdJw\ufffdVQ\u0013\ufffd6\u001bZd\ufffdr\t\ufffd(\ufffd\ufffd8\bR\ufffd c\ufffd\ufffd\u0001\ufffd\\j9j\ufffd+\ufffd\ufffdrc.x\ufffd\u001a5~\ufffd\ufffd\ufffd\ufffd\ufffd.'\"\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0003\ufffd>\ufffdv_]\ufffdo\ufffdPRd\ufffd\ufffd\ufffd\u001ado\u0007\ufffd\ufffd7P\ufffd\ufffd\ufffd#\u0012",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003!\ufffd\ufffd\"\u0019\ufffd\u001a\ufffdJw\ufffdVQ\u0013\ufffd6\u001bZd\ufffdr\t\ufffd(\ufffd\ufffd8\bR\ufffd c\ufffd\ufffd\u0001\ufffd\\j9j\ufffd+\ufffd\ufffdrc.x\ufffd\u001a5~\ufffd\ufffd\ufffd\ufffd\ufffd.'\"\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "7e58b6aa14af3dda22a45408ccabebc60a7a2b86",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003!\ufffd\ufffd\"\u0019\ufffd\u001a\ufffdJw\ufffdVQ\u0013\ufffd6\u001bZd\ufffdr\t\ufffd(\ufffd\ufffd8\bR\ufffd c\ufffd\ufffd\u0001\ufffd\\j9j\ufffd+\ufffd\ufffdrc.x\ufffd\u001a5~\ufffd\ufffd\ufffd\ufffd\ufffd.'\"\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7002,
"service": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL"
},
"evidence_snippet": "\ufffd\ufffd!\ufffd\ufffd\"\ufffd\ufffdJw\ufffdVQ\ufffd6Zd\ufffdr\t\ufffd(\ufffd\ufffd8R\ufffd c\ufffd\ufffd\ufffd\\j9j\ufffd+\ufffd\ufffdrc.x\ufffd5~\ufffd\ufffd\ufffd\ufffd\ufffd.'\"\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)",
"target_port_label": "7002 \u00b7 WEBLOGIC SSL",
"emulator_service": "weblogic-ssl",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-weblogic-ssl",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003!\ufffd\ufffd\"\u0019\ufffd\u001a\ufffdJw\ufffdVQ\u0013\ufffd6\u001bZd\ufffdr\t\ufffd(\ufffd\ufffd8\bR\ufffd c\ufffd\ufffd\u0001\ufffd\\j9j\ufffd+\ufffd\ufffdrc.x\ufffd\u001a5~\ufffd\ufffd\ufffd\ufffd\ufffd.'\"\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7002,
"service": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL"
},
"attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd!\ufffd\ufffd\"\ufffd\ufffdJw\ufffdVQ\ufffd6Zd\ufffdr\t\ufffd(\ufffd\ufffd8R\ufffd c\ufffd\ufffd\ufffd\\j9j\ufffd+\ufffd\ufffdrc.x\ufffd5~\ufffd\ufffd\ufffd\ufffd\ufffd.'\"\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "7002 \u00b7 WEBLOGIC SSL",
"emulator_service": "weblogic-ssl",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "weblogic_ssl",
"service_banner": "honeypot-weblogic-ssl",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:44 UTC
TCP
7002 · WEBLOGIC SSL
Sonde PostgreSQL
postgres probe · via WEBLOGIC SSL:7002 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
WEBLOGIC-SSL
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
7002
Chemin / cible
—
Service
WEBLOGIC SSL
Payload
�������������a��hJН���|_�E������B����R � _6|d�W��<����_W��Ls��F������P�@�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������a��hJН���|_�E������B����R � _6|d�W��<����_W��Ls��F������P�@�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�������������a��hJН���|_�E������B����R � _6|d�W��<����_W��Ls��F������P�@�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� Y� ]��� �`�4n����������E.�N� ��\
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.803149870823701,
"port_category": "registered",
"org": "Google LLC",
"service": "weblogic-ssl",
"app_proto": "weblogic-ssl",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "768be4b9afd17e03b5590f7c4d566d3e2258ec57",
"event_fingerprint": "093baabd306b0c56caa76a305bdcd4f0ffb23c03",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "weblogic-ssl",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "db4698fdc24bc01a51c68745e2a55346",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 7002,
"service": "weblogic-ssl",
"service_name": "weblogic-ssl",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffda\b\ufffdhJ\u041d\ufffd\ufffd\ufffd|_\ufffdE\ufffd\ufffd\ufffd\u0019\u0017\ufffdB\ufffd\ufffd\u0012\ufffdR \ufffd _6|d\ufffdW\ufffd\ufffd<\u0015\ufffd\ufffd\u0005_W\ufffd\ufffdLs\u0002\ufffdF\ufffd\ufffd\ufffd\u0014\ufffd\ufffdP\ufffd@\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffda\b\ufffdhJ\u041d\ufffd\ufffd\ufffd|_\ufffdE\ufffd\ufffd\ufffd\u0019\u0017\ufffdB\ufffd\ufffd\u0012\ufffdR \ufffd _6|d\ufffdW\ufffd\ufffd<\u0015\ufffd\ufffd\u0005_W\ufffd\ufffdLs\u0002\ufffdF\ufffd\ufffd\ufffd\u0014\ufffd\ufffdP\ufffd@\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 Y\ufffd ]\ufffd\u001a\ufffd\n\ufffd`\ufffd4n\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdE.\ufffdN\ufffd\n\ufffd\u0013\\",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffda\b\ufffdhJ\u041d\ufffd\ufffd\ufffd|_\ufffdE\ufffd\ufffd\ufffd\u0019\u0017\ufffdB\ufffd\ufffd\u0012\ufffdR \ufffd _6|d\ufffdW\ufffd\ufffd<\u0015\ufffd\ufffd\u0005_W\ufffd\ufffdLs\u0002\ufffdF\ufffd\ufffd\ufffd\u0014\ufffd\ufffdP\ufffd@\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f520635da8cd7a3b33bf5f91c35df2c895855e36",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffda\b\ufffdhJ\u041d\ufffd\ufffd\ufffd|_\ufffdE\ufffd\ufffd\ufffd\u0019\u0017\ufffdB\ufffd\ufffd\u0012\ufffdR \ufffd _6|d\ufffdW\ufffd\ufffd<\u0015\ufffd\ufffd\u0005_W\ufffd\ufffdLs\u0002\ufffdF\ufffd\ufffd\ufffd\u0014\ufffd\ufffdP\ufffd@\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7002,
"service": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffda\ufffdhJ\u041d\ufffd\ufffd\ufffd|_\ufffdE\ufffd\ufffd\ufffd\ufffdB\ufffd\ufffd\ufffdR \ufffd _6|d\ufffdW\ufffd\ufffd<\ufffd\ufffd_W\ufffd\ufffdLs\ufffdF\ufffd\ufffd\ufffd\ufffd\ufffdP\ufffd@&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)",
"target_port_label": "7002 \u00b7 WEBLOGIC SSL",
"emulator_service": "weblogic-ssl",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-weblogic-ssl",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffda\b\ufffdhJ\u041d\ufffd\ufffd\ufffd|_\ufffdE\ufffd\ufffd\ufffd\u0019\u0017\ufffdB\ufffd\ufffd\u0012\ufffdR \ufffd _6|d\ufffdW\ufffd\ufffd<\u0015\ufffd\ufffd\u0005_W\ufffd\ufffdLs\u0002\ufffdF\ufffd\ufffd\ufffd\u0014\ufffd\ufffdP\ufffd@\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7002,
"service": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL"
},
"attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffda\ufffdhJ\u041d\ufffd\ufffd\ufffd|_\ufffdE\ufffd\ufffd\ufffd\ufffdB\ufffd\ufffd\ufffdR \ufffd _6|d\ufffdW\ufffd\ufffd<\ufffd\ufffd_W\ufffd\ufffdLs\ufffdF\ufffd\ufffd\ufffd\ufffd\ufffdP\ufffd@&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "7002 \u00b7 WEBLOGIC SSL",
"emulator_service": "weblogic-ssl",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "weblogic_ssl",
"service_banner": "honeypot-weblogic-ssl",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:44 UTC
TCP
7002 · WEBLOGIC SSL
Sonde PostgreSQL
postgres probe · via WEBLOGIC SSL:7002 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
WEBLOGIC-SSL
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
7002
Chemin / cible
—
Service
WEBLOGIC SSL
Payload
�������������s��L&�#g���%����η�0L/YWї���� ؇$��$��v��m۞ATXq�j.�^&06��q�ۃ�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������s��L&�#g���%����η�0L/YWї���� ؇$��$��v��m۞ATXq�j.�^&06��q�ۃ�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�������������s��L&�#g���%����η�0L/YWї���� ؇$��$��v��m۞ATXq�j.�^&06��q�ۃ�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ��0q��d���]� ����2�w�mk vh ���(B
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.728100270910048,
"port_category": "registered",
"org": "Google LLC",
"service": "weblogic-ssl",
"app_proto": "weblogic-ssl",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "768be4b9afd17e03b5590f7c4d566d3e2258ec57",
"event_fingerprint": "093baabd306b0c56caa76a305bdcd4f0ffb23c03",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "weblogic-ssl",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "4c45848180d0c368e0588bb8b98cf8f5",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 7002,
"service": "weblogic-ssl",
"service_name": "weblogic-ssl",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u000e\ufffds\ufffd\ufffdL&\ufffd#g\ufffd\ufffd\u0005%\ufffd\ufffd\u0001\ufffd\u03b7\ufffd0L\/YW\u0457\u0005\ufffd\ufffd\ufffd \u0607$\ufffd\u0000$\ufffd\ufffdv\ufffd\ufffdm\u06deATXq\ufffdj.\ufffd^&06\ufffd\ufffdq\ufffd\u06c3\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u000e\ufffds\ufffd\ufffdL&\ufffd#g\ufffd\ufffd\u0005%\ufffd\ufffd\u0001\ufffd\u03b7\ufffd0L\/YW\u0457\u0005\ufffd\ufffd\ufffd \u0607$\ufffd\u0000$\ufffd\ufffdv\ufffd\ufffdm\u06deATXq\ufffdj.\ufffd^&06\ufffd\ufffdq\ufffd\u06c3\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd0q\ufffd\ufffdd\ufffd\ufffd\u0015]\ufffd\r\ufffd\ufffd\ufffd\u00152\ufffdw\ufffdmk\fvh\n\ufffd\ufffd\b(B",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u000e\ufffds\ufffd\ufffdL&\ufffd#g\ufffd\ufffd\u0005%\ufffd\ufffd\u0001\ufffd\u03b7\ufffd0L\/YW\u0457\u0005\ufffd\ufffd\ufffd \u0607$\ufffd\u0000$\ufffd\ufffdv\ufffd\ufffdm\u06deATXq\ufffdj.\ufffd^&06\ufffd\ufffdq\ufffd\u06c3\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d6481f44603d6d5a4ee51df25f83776d78e1f661",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u000e\ufffds\ufffd\ufffdL&\ufffd#g\ufffd\ufffd\u0005%\ufffd\ufffd\u0001\ufffd\u03b7\ufffd0L\/YW\u0457\u0005\ufffd\ufffd\ufffd \u0607$\ufffd\u0000$\ufffd\ufffdv\ufffd\ufffdm\u06deATXq\ufffdj.\ufffd^&06\ufffd\ufffdq\ufffd\u06c3\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7002,
"service": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL"
},
"evidence_snippet": "\ufffd\ufffd\ufffds\ufffd\ufffdL&\ufffd#g\ufffd\ufffd%\ufffd\ufffd\ufffd\u03b7\ufffd0L\/YW\u0457\ufffd\ufffd\ufffd \u0607$\ufffd$\ufffd\ufffdv\ufffd\ufffdm\u06deATXq\ufffdj.\ufffd^&06\ufffd\ufffdq\ufffd\u06c3&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)",
"target_port_label": "7002 \u00b7 WEBLOGIC SSL",
"emulator_service": "weblogic-ssl",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-weblogic-ssl",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u000e\ufffds\ufffd\ufffdL&\ufffd#g\ufffd\ufffd\u0005%\ufffd\ufffd\u0001\ufffd\u03b7\ufffd0L\/YW\u0457\u0005\ufffd\ufffd\ufffd \u0607$\ufffd\u0000$\ufffd\ufffdv\ufffd\ufffdm\u06deATXq\ufffdj.\ufffd^&06\ufffd\ufffdq\ufffd\u06c3\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7002,
"service": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL"
},
"attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffds\ufffd\ufffdL&\ufffd#g\ufffd\ufffd%\ufffd\ufffd\ufffd\u03b7\ufffd0L\/YW\u0457\ufffd\ufffd\ufffd \u0607$\ufffd$\ufffd\ufffdv\ufffd\ufffdm\u06deATXq\ufffdj.\ufffd^&06\ufffd\ufffdq\ufffd\u06c3&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "7002 \u00b7 WEBLOGIC SSL",
"emulator_service": "weblogic-ssl",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "weblogic_ssl",
"service_banner": "honeypot-weblogic-ssl",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:44 UTC
TCP
7002 · WEBLOGIC SSL
Sonde PostgreSQL
postgres probe · via WEBLOGIC SSL:7002 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
WEBLOGIC-SSL
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
7002
Chemin / cible
—
Service
WEBLOGIC SSL
Payload
������������UB��-��b��ņl�D�Fc���xo-��}+ ����^���/q���@��T�i�/���`�KGw����&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������UB��-��b��ņl�D�Fc���xo-��}+ ����^���/q���@��T�i�/���`�KGw����&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������UB��-��b��ņl�D�Fc���xo-��}+ ����^���/q���@��T�i�/���`�KGw����&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ���/���*Y��ю�?�Ǣ%���86�;�q���-
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.867608598225724,
"port_category": "registered",
"org": "Google LLC",
"service": "weblogic-ssl",
"app_proto": "weblogic-ssl",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "768be4b9afd17e03b5590f7c4d566d3e2258ec57",
"event_fingerprint": "093baabd306b0c56caa76a305bdcd4f0ffb23c03",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "weblogic-ssl",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "5b40c02f117e451ce44da6d4588602b4",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 7002,
"service": "weblogic-ssl",
"service_name": "weblogic-ssl",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0088\ufffdUB\ufffd\ufffd-\ufffd\ufffdb\u0003\ufffd\u0146l\ufffdD\ufffdFc\u0002\ufffd\ufffdxo-\ufffd\ufffd}+ \ufffd\ufffd\ufffd\ufffd^\u001e\ufffd\ufffd\/q\ufffd\ufffd\ufffd@\ufffd\ufffdT\ufffdi\ufffd\/\ufffd\u0011\ufffd`\ufffdKGw\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0088\ufffdUB\ufffd\ufffd-\ufffd\ufffdb\u0003\ufffd\u0146l\ufffdD\ufffdFc\u0002\ufffd\ufffdxo-\ufffd\ufffd}+ \ufffd\ufffd\ufffd\ufffd^\u001e\ufffd\ufffd\/q\ufffd\ufffd\ufffd@\ufffd\ufffdT\ufffdi\ufffd\/\ufffd\u0011\ufffd`\ufffdKGw\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffd\/\ufffd\ufffd\ufffd*Y\ufffd\u001b\u044e\ufffd?\ufffd\u01e2%\u0011\ufffd\ufffd86\ufffd;\ufffdq\ufffd\ufffd\ufffd-",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0088\ufffdUB\ufffd\ufffd-\ufffd\ufffdb\u0003\ufffd\u0146l\ufffdD\ufffdFc\u0002\ufffd\ufffdxo-\ufffd\ufffd}+ \ufffd\ufffd\ufffd\ufffd^\u001e\ufffd\ufffd\/q\ufffd\ufffd\ufffd@\ufffd\ufffdT\ufffdi\ufffd\/\ufffd\u0011\ufffd`\ufffdKGw\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "56591033f1972722567042c8e37402502fac80f1",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0088\ufffdUB\ufffd\ufffd-\ufffd\ufffdb\u0003\ufffd\u0146l\ufffdD\ufffdFc\u0002\ufffd\ufffdxo-\ufffd\ufffd}+ \ufffd\ufffd\ufffd\ufffd^\u001e\ufffd\ufffd\/q\ufffd\ufffd\ufffd@\ufffd\ufffdT\ufffdi\ufffd\/\ufffd\u0011\ufffd`\ufffdKGw\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7002,
"service": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL"
},
"evidence_snippet": "\ufffd\ufffd\u0088\ufffdUB\ufffd\ufffd-\ufffd\ufffdb\ufffd\u0146l\ufffdD\ufffdFc\ufffd\ufffdxo-\ufffd\ufffd}+ \ufffd\ufffd\ufffd\ufffd^\ufffd\ufffd\/q\ufffd\ufffd\ufffd@\ufffd\ufffdT\ufffdi\ufffd\/\ufffd\ufffd`\ufffdKGw\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)",
"target_port_label": "7002 \u00b7 WEBLOGIC SSL",
"emulator_service": "weblogic-ssl",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-weblogic-ssl",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0088\ufffdUB\ufffd\ufffd-\ufffd\ufffdb\u0003\ufffd\u0146l\ufffdD\ufffdFc\u0002\ufffd\ufffdxo-\ufffd\ufffd}+ \ufffd\ufffd\ufffd\ufffd^\u001e\ufffd\ufffd\/q\ufffd\ufffd\ufffd@\ufffd\ufffdT\ufffdi\ufffd\/\ufffd\u0011\ufffd`\ufffdKGw\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7002,
"service": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL"
},
"attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\u0088\ufffdUB\ufffd\ufffd-\ufffd\ufffdb\ufffd\u0146l\ufffdD\ufffdFc\ufffd\ufffdxo-\ufffd\ufffd}+ \ufffd\ufffd\ufffd\ufffd^\ufffd\ufffd\/q\ufffd\ufffd\ufffd@\ufffd\ufffdT\ufffdi\ufffd\/\ufffd\ufffd`\ufffdKGw\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "7002 \u00b7 WEBLOGIC SSL",
"emulator_service": "weblogic-ssl",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "weblogic_ssl",
"service_banner": "honeypot-weblogic-ssl",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:44 UTC
TCP
7002 · WEBLOGIC SSL
Sonde PostgreSQL
postgres probe · via WEBLOGIC SSL:7002 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
WEBLOGIC-SSL
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
7002
Chemin / cible
—
Service
WEBLOGIC SSL
Payload
�����������t��.�;Wj��2u�@�0������V�{��j=Z ��7�f�'&�<?����{*zg�{ϊ@�?ia�����&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������t��.�;Wj��2u�@�0������V�{��j=Z ��7�f�'&�<?����{*zg�{ϊ@�?ia�����&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������t��.�;Wj��2u�@�0������V�{��j=Z ��7�f�'&�<?����{*zg�{ϊ@�?ia�����&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� wwz��ͯ��#�<�߿�st��lQ���������
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.792525836803028,
"port_category": "registered",
"org": "Google LLC",
"service": "weblogic-ssl",
"app_proto": "weblogic-ssl",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "768be4b9afd17e03b5590f7c4d566d3e2258ec57",
"event_fingerprint": "093baabd306b0c56caa76a305bdcd4f0ffb23c03",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "weblogic-ssl",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "e5797c3d60df3498c5b2e98aba7ad2c2",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 7002,
"service": "weblogic-ssl",
"service_name": "weblogic-ssl",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003t\ufffd\u0019.\ufffd;Wj\u0005\ufffd2u\ufffd@\ufffd0\u0014\b\ufffd\ufffd\ufffd\ufffdV\ufffd{\ufffd\u001bj=Z \ufffd\ufffd7\ufffdf\ufffd'&\ufffd<?\ufffd\ufffd\ufffd\ufffd{*zg\ufffd{\u03ca@\u0017?ia\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003t\ufffd\u0019.\ufffd;Wj\u0005\ufffd2u\ufffd@\ufffd0\u0014\b\ufffd\ufffd\ufffd\ufffdV\ufffd{\ufffd\u001bj=Z \ufffd\ufffd7\ufffdf\ufffd'&\ufffd<?\ufffd\ufffd\ufffd\ufffd{*zg\ufffd{\u03ca@\u0017?ia\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 wwz\ufffd\u001e\u036f\ufffd\ufffd#\ufffd<\ufffd\u07ff\u0005st\u001d\u0014lQ\ufffd\ufffd\u0018\ufffd\ufffd\ufffd\ufffd\ufffd\u0004",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003t\ufffd\u0019.\ufffd;Wj\u0005\ufffd2u\ufffd@\ufffd0\u0014\b\ufffd\ufffd\ufffd\ufffdV\ufffd{\ufffd\u001bj=Z \ufffd\ufffd7\ufffdf\ufffd'&\ufffd<?\ufffd\ufffd\ufffd\ufffd{*zg\ufffd{\u03ca@\u0017?ia\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d1184be7141850c023c4daad3c758456f789f51a",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003t\ufffd\u0019.\ufffd;Wj\u0005\ufffd2u\ufffd@\ufffd0\u0014\b\ufffd\ufffd\ufffd\ufffdV\ufffd{\ufffd\u001bj=Z \ufffd\ufffd7\ufffdf\ufffd'&\ufffd<?\ufffd\ufffd\ufffd\ufffd{*zg\ufffd{\u03ca@\u0017?ia\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7002,
"service": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL"
},
"evidence_snippet": "\ufffd\ufffdt\ufffd.\ufffd;Wj\ufffd2u\ufffd@\ufffd0\ufffd\ufffd\ufffd\ufffdV\ufffd{\ufffdj=Z \ufffd\ufffd7\ufffdf\ufffd'&\ufffd<?\ufffd\ufffd\ufffd\ufffd{*zg\ufffd{\u03ca@?ia\ufffd\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)",
"target_port_label": "7002 \u00b7 WEBLOGIC SSL",
"emulator_service": "weblogic-ssl",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-weblogic-ssl",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003t\ufffd\u0019.\ufffd;Wj\u0005\ufffd2u\ufffd@\ufffd0\u0014\b\ufffd\ufffd\ufffd\ufffdV\ufffd{\ufffd\u001bj=Z \ufffd\ufffd7\ufffdf\ufffd'&\ufffd<?\ufffd\ufffd\ufffd\ufffd{*zg\ufffd{\u03ca@\u0017?ia\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7002,
"service": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL"
},
"attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdt\ufffd.\ufffd;Wj\ufffd2u\ufffd@\ufffd0\ufffd\ufffd\ufffd\ufffdV\ufffd{\ufffdj=Z \ufffd\ufffd7\ufffdf\ufffd'&\ufffd<?\ufffd\ufffd\ufffd\ufffd{*zg\ufffd{\u03ca@?ia\ufffd\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "7002 \u00b7 WEBLOGIC SSL",
"emulator_service": "weblogic-ssl",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "weblogic_ssl",
"service_banner": "honeypot-weblogic-ssl",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
15/06/2026 21:08:44 UTC
TCP
7002 · WEBLOGIC SSL
Sonde PostgreSQL
postgres probe · via WEBLOGIC SSL:7002 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
WEBLOGIC-SSL
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
7002
Chemin / cible
—
Service
WEBLOGIC SSL
Payload
��������������X�r;���C}q���2?���e?��L��SkQ ̌:��~��e�g#��g~�z>,\-kÞ�����O��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������X�r;���C}q���2?���e?��L��SkQ ̌:��~��e�g#��g~�z>,\-kÞ�����O��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
��������������X�r;���C}q���2?���e?��L��SkQ ̌:��~��e�g#��g~�z>,\-kÞ�����O��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �K%0������Ԁ�>g��tȌ��\�3H��(�N
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.839873523093514,
"port_category": "registered",
"org": "Google LLC",
"service": "weblogic-ssl",
"app_proto": "weblogic-ssl",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "768be4b9afd17e03b5590f7c4d566d3e2258ec57",
"event_fingerprint": "093baabd306b0c56caa76a305bdcd4f0ffb23c03",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "weblogic-ssl",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "1d8243c7f201d215e4d558a9cc52c759",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 7002,
"service": "weblogic-ssl",
"service_name": "weblogic-ssl",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdX\ufffdr;\ufffd\ufffd\ufffdC}q\ufffd\ufffd\ufffd2?\ufffd\ufffd\ufffde?\ufffd\ufffdL\ufffd\u0004SkQ \u030c:\ufffd\u0004~\ufffd\u0015e\ufffdg#\ufffd\u0003g~\u0001z>,\\-k\u00de\ufffd\ufffd\ufffd\ufffd\ufffdO\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdX\ufffdr;\ufffd\ufffd\ufffdC}q\ufffd\ufffd\ufffd2?\ufffd\ufffd\ufffde?\ufffd\ufffdL\ufffd\u0004SkQ \u030c:\ufffd\u0004~\ufffd\u0015e\ufffdg#\ufffd\u0003g~\u0001z>,\\-k\u00de\ufffd\ufffd\ufffd\ufffd\ufffdO\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdK%0\ufffd\u0012\ufffd\ufffd\ufffd\ufffd\u0500\ufffd>g\ufffd\ufffdt\u020c\ufffd\ufffd\\\u00153H\ufffd\ufffd(\bN",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdX\ufffdr;\ufffd\ufffd\ufffdC}q\ufffd\ufffd\ufffd2?\ufffd\ufffd\ufffde?\ufffd\ufffdL\ufffd\u0004SkQ \u030c:\ufffd\u0004~\ufffd\u0015e\ufffdg#\ufffd\u0003g~\u0001z>,\\-k\u00de\ufffd\ufffd\ufffd\ufffd\ufffdO\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "bf14ee6406c84b4ec16fa9363c9ea0331df46565",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdX\ufffdr;\ufffd\ufffd\ufffdC}q\ufffd\ufffd\ufffd2?\ufffd\ufffd\ufffde?\ufffd\ufffdL\ufffd\u0004SkQ \u030c:\ufffd\u0004~\ufffd\u0015e\ufffdg#\ufffd\u0003g~\u0001z>,\\-k\u00de\ufffd\ufffd\ufffd\ufffd\ufffdO\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7002,
"service": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffdX\ufffdr;\ufffd\ufffd\ufffdC}q\ufffd\ufffd\ufffd2?\ufffd\ufffd\ufffde?\ufffd\ufffdL\ufffdSkQ \u030c:\ufffd~\ufffde\ufffdg#\ufffdg~z>,\\-k\u00de\ufffd\ufffd\ufffd\ufffd\ufffdO\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)",
"target_port_label": "7002 \u00b7 WEBLOGIC SSL",
"emulator_service": "weblogic-ssl",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-weblogic-ssl",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdX\ufffdr;\ufffd\ufffd\ufffdC}q\ufffd\ufffd\ufffd2?\ufffd\ufffd\ufffde?\ufffd\ufffdL\ufffd\u0004SkQ \u030c:\ufffd\u0004~\ufffd\u0015e\ufffdg#\ufffd\u0003g~\u0001z>,\\-k\u00de\ufffd\ufffd\ufffd\ufffd\ufffdO\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7002,
"service": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL"
},
"attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffdX\ufffdr;\ufffd\ufffd\ufffdC}q\ufffd\ufffd\ufffd2?\ufffd\ufffd\ufffde?\ufffd\ufffdL\ufffdSkQ \u030c:\ufffd~\ufffde\ufffdg#\ufffdg~z>,\\-k\u00de\ufffd\ufffd\ufffd\ufffd\ufffdO\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "7002 \u00b7 WEBLOGIC SSL",
"emulator_service": "weblogic-ssl",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "weblogic_ssl",
"service_banner": "honeypot-weblogic-ssl",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}