Renseignement sur les menaces

Indonésie

34.128.115.115

FAI Google LLC Première vue 15/06/2026 12:38 UTC Dernière vue 15/06/2026 12:38 UTC Risque Élevé

Période analysée : 2026-06-12 → 2026-06-19

Activité suspecte — risque 66/100 (Élevé) — MITRE TA0001 — confiance 100 % — via HTTP — multi-protocole (2 protocoles · 5 min)

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Élevé · Risque max (7j) Élevé

Synthèse exécutive

Profil de menace

Score de risque 71/100 Élevé

Première observation 15/06/2026 12:38 UTC

Dernière observation 15/06/2026 12:38 UTC

Événements (période) 854

MITRE ATT&CK principal TA0007 431 occurrences

Activité suspecte — risque 66/100 (Élevé) — MITRE TA0001 — confiance 100 % — via HTTP — multi-protocole (2 protocoles · 5 min)

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Sonde fichier sensible: fichier credential/clé · Règle WAF « rce-0 » · confiance 100%

Confiance 100 % — Score WAF 84 · Bonus corrélation +8 · 3 tag(s) WAF

Comparaison ASN / FAI

ASN 396982 · 34.128.96.0/19 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 854 événements sur la période pour cette IP.

147.185.133.30 Scanner web 19/06/2026 06:38 UTC
162.216.149.105 Scanner web 19/06/2026 06:37 UTC
205.210.31.196 Sonde port 19/06/2026 06:36 UTC
205.210.31.172 Sonde port 19/06/2026 06:36 UTC
198.235.24.239 Sonde port 19/06/2026 06:35 UTC
162.216.150.105 Scanner web 19/06/2026 06:35 UTC
205.210.31.138 Scanner web 19/06/2026 06:32 UTC
147.185.133.16 Scan vulnérabilités 19/06/2026 06:31 UTC

Événements (filtres)

854

Première observation

15/06/2026 12:38 UTC

Dernière observation

15/06/2026 12:38 UTC

Dernière activité (filtres)

15/06/2026 12:38 UTC

Événements 7j

854

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

CONSUL SERVER TCP 427 HTTP TCP 427

CONSUL SERVER

427

HTTP

427

Géolocalisation

Origine réseau déclarée

Indonésie unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Google LLC 0 Port 8300 postgres_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Tentative d'exploit

Chaîne d'attaque

Exploitation

Vecteur d'attaque

credential file probe · via HTTP:8300 · (tentative d'exploit) · → /private/secrets.json

Détails protocole

Méthode: GET
Chemin: /private/secrets.json
User-Agent: Mozilla/5.0 (Linux; U; Android 9; en-US; RMX1851 Build/PKQ1.190101.001) AppleWebKit/537.36 (KHTML, …

Aperçu payload

GET /private/secrets.json HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Linux; U; Android 9; en-US; RMX1851 Build/PK

Port / service

8300 · HTTP

Service émulé

HTTP

Raison confiance

Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF

Technique MITRE

TA0001

Persona capteur

mail.sensor-1.internal

Corrélations comportementales

Multi-protocole corrélé (5 min)

Recommandation

Investiguer

Rôle capteur

Renseignement menaces

Signaux de précision

pat-0496 Upstream Waf Score

Confiance

100% Corrélation +8

Famille de menace

path_traversal config_leak_scan

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

854 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

854 événement(s) — page 4/18

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
15/06/2026 12:38:25 UTC	TCP	8300 · HTTP	http	Flood / DDoS http flood · via HTTP:8300 · (tentative d'exploit) · → /log/debug.log	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /log/debug.log UA Mozilla/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko/20100101 Fir… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_log Cible HTTP GET /log/debug.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8300 Chemin / cible /log/debug.log Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Debug log disclosure Ligne de requête `GET /log/debug.log HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko/20100101 Firefox/4.2a1pre Règles WAF rce-0 nosqli-3 Payload (extrait) GET /log/debug.log HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko/20100101 Fire Requête brute (extrait) GET /log/debug.log HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko/20100101 Firefox/4.2a1pre Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "log", "http_ua_hash": "1609cb7afc4818ecfa4fd09f4a99f4b7f89776de", "http_host_hash": "372950b7e517660af40b2015a2d8c9118c97a68c", "http_target_hash": "3fb5b472f52b8bcac2f6138463cf27ff65b8c633", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 209, "payload_entropy": 5.3124852515452, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.8, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf8a59082d7e8aaf6f71b2120c65b20bfcfa0621", "event_fingerprint": "82d240cb84068bd73f2dcb3f65f9f9c947d0d396", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0110" ], "matched_pattern_names": [ "LFI Debug log disclosure" ], "pattern_ids": [ "pat-0110" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "9f7bf7e48d3f63c5e0e8476feb345376", "payload_hash": "15bf091dee0554b6f03c4eb838709a4f", "path_pattern_hash": "0a13815894d10bbcd047ea689c56dc08" }, "target_context": { "dst_port": 8300, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/log\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko\/20100101 Fire", "method": "GET", "path": "\/log\/debug.log", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko\/20100101 Firefox\/4.2a1pre", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/log\/debug.log HTTP\/1.1", "request_sample": "GET \/log\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko\/20100101 Firefox\/4.2a1pre\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/log\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko\/20100101 Fire", "evidence": { "method": "GET", "path": "\/log\/debug.log", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko\/20100101 Firefox\/4.2a1pre", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/log\/debug.log HTTP\/1.1", "request_sample": "GET \/log\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko\/20100101 Firefox\/4.2a1pre\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/log\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko\/20100101 Fire", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "53ae03e5b87d9dc681604ef9faf38c9a8ee84b47", "protocol_details": { "http_method": "GET", "http_path": "\/log\/debug.log", "request_line": "GET \/log\/debug.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko\/20100101 Firefox\/4.2a1pre", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/log\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko\/20100101 Fire", "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/log\/debug.log", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/log\/debug.log", "request_line": "GET \/log\/debug.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko\/20100101 Firefox\/4.2a1pre", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/log\/debug.log", "evidence_snippet": "GET \/log\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko\/20100101 Fire", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_log", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:38:25 UTC	TCP	8300 · HTTP	http	Flood / DDoS http flood · via HTTP:8300 · (tentative d'exploit) · → /trace.log	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /trace.log UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /trace.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8300 Chemin / cible /trace.log Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /trace.log HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3191.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /trace.log HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /trace.log HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3191.0 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "log", "http_ua_hash": "5df36dfcd1878e0b9fef6617b52ce008010031c5", "http_host_hash": "372950b7e517660af40b2015a2d8c9118c97a68c", "http_target_hash": "0306f640cbfe7832e364cfa8aaa4495e8ef14f08", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 242, "payload_entropy": 5.394957982520579, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "9891dbbfd9ef656d7c904161735163e513dcca83", "event_fingerprint": "9802340d3a6be9bdbbb75fae11e1b12ebfd60600", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "279451a1275a9e470716fb83584f9a9e", "payload_hash": "823285cff6ad79253b7d42f02d100a70", "path_pattern_hash": "f8d80e9ce78cc8d6e0404ba95f5bd5a6" }, "target_context": { "dst_port": 8300, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/trace.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML,", "method": "GET", "path": "\/trace.log", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3191.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/trace.log HTTP\/1.1", "request_sample": "GET \/trace.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3191.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/trace.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/trace.log", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3191.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/trace.log HTTP\/1.1", "request_sample": "GET \/trace.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3191.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/trace.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9c381860b9afc4a3433e4d90f5ed13944835e7bd", "protocol_details": { "http_method": "GET", "http_path": "\/trace.log", "request_line": "GET \/trace.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3191.0 Safari\/537.36", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/trace.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML,", "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/trace.log", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/trace.log", "request_line": "GET \/trace.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3191.0 Safari\/537.36", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/trace.log", "evidence_snippet": "GET \/trace.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML,", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:38:25 UTC	TCP	8300 · HTTP	http	Flood / DDoS http flood · via HTTP:8300 · (tentative d'exploit) · → /.buildkite/pipeline.yml	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.buildkite/pipeline.yml UA Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a3pre) Gecko/2007… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /.buildkite/pipeline.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8300 Chemin / cible /.buildkite/pipeline.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.buildkite/pipeline.yml HTTP/1.1` User-Agent Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a3pre) Gecko/20070330 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.buildkite/pipeline.yml HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a3pre) G Requête brute (extrait) GET /.buildkite/pipeline.yml HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a3pre) Gecko/20070330 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "yml", "http_ua_hash": "3fdab039354305ace5e73d036ba51584384ee1ac", "http_host_hash": "372950b7e517660af40b2015a2d8c9118c97a68c", "http_target_hash": "4bafbac6a6a3a3e498ce6febcc708140823e7542", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 210, "payload_entropy": 5.317567970390963, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 64, "tag_count": 4, "anomaly_count": 0, "campaign_key": "81d45ac58bb094128c5e03f9ce4ed1f44b650c6f", "event_fingerprint": "c8dceab82d09031f082dfc07244bb2197b7f6782", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d6659d7f232a48476328916cf4661fbd", "payload_hash": "cdb3a77768ebb69471a0cbbb41e78d52", "path_pattern_hash": "483e00e02486581ed9691d00f40bae15" }, "target_context": { "dst_port": 8300, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/.buildkite\/pipeline.yml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.9a3pre) G", "method": "GET", "path": "\/.buildkite\/pipeline.yml", "user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.9a3pre) Gecko\/20070330", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.buildkite\/pipeline.yml HTTP\/1.1", "request_sample": "GET \/.buildkite\/pipeline.yml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.9a3pre) Gecko\/20070330\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.buildkite\/pipeline.yml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.9a3pre) G", "evidence": { "method": "GET", "path": "\/.buildkite\/pipeline.yml", "user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.9a3pre) Gecko\/20070330", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.buildkite\/pipeline.yml HTTP\/1.1", "request_sample": "GET \/.buildkite\/pipeline.yml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.9a3pre) Gecko\/20070330\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.buildkite\/pipeline.yml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.9a3pre) G", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "981bf05e404dbccee689a77d5780263bd53aba2e", "protocol_details": { "http_method": "GET", "http_path": "\/.buildkite\/pipeline.yml", "request_line": "GET \/.buildkite\/pipeline.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.9a3pre) Gecko\/20070330", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.buildkite\/pipeline.yml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.9a3pre) G", "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.buildkite\/pipeline.yml", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.buildkite\/pipeline.yml", "request_line": "GET \/.buildkite\/pipeline.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.9a3pre) Gecko\/20070330", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.buildkite\/pipeline.yml", "evidence_snippet": "GET \/.buildkite\/pipeline.yml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.9a3pre) G", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:38:25 UTC	TCP	8300 · HTTP	http	Flood / DDoS http flood · via HTTP:8300 · (tentative d'exploit) · → /.travis.yml	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.travis.yml UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /.travis.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8300 Chemin / cible /.travis.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.travis.yml HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.113 Safari/537.36 Vivaldi/2.1.1337.51 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.travis.yml HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Ge Requête brute (extrait) GET /.travis.yml HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.113 Safari/537.36 Vivaldi/2.1.1337.51 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "014786134ec97de9047187709a44c1853235ae57", "http_host_hash": "372950b7e517660af40b2015a2d8c9118c97a68c", "http_target_hash": "0f539eb712332002814a106c4304479b90529490", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 256, "payload_entropy": 5.432313913654668, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "68baa9b6124f6a2456fd6557cda5d81f8226991e", "event_fingerprint": "296646002a2dd48e68c9b7b3da477ac116766ab8", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "7cce4978fa16232d9d5cd60ae0686626", "payload_hash": "3487d7131f44c496bda1dea73f990e00", "path_pattern_hash": "31215e4931d9a8bb956098a35abb0b27" }, "target_context": { "dst_port": 8300, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/.travis.yml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Ge", "method": "GET", "path": "\/.travis.yml", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.113 Safari\/537.36 Vivaldi\/2.1.1337.51", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.travis.yml HTTP\/1.1", "request_sample": "GET \/.travis.yml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.113 Safari\/537.36 Vivaldi\/2.1.1337.51\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.travis.yml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Ge", "evidence": { "method": "GET", "path": "\/.travis.yml", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.113 Safari\/537.36 Vivaldi\/2.1.1337.51", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.travis.yml HTTP\/1.1", "request_sample": "GET \/.travis.yml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.113 Safari\/537.36 Vivaldi\/2.1.1337.51\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.travis.yml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Ge", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "40b8bcf73815c31f440dace3da4a4253c9856bd6", "protocol_details": { "http_method": "GET", "http_path": "\/.travis.yml", "request_line": "GET \/.travis.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.113 Safari\/537.36 Vivaldi\/2.1.1\u2026", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.travis.yml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Ge", "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.travis.yml", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.travis.yml", "request_line": "GET \/.travis.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.113 Safari\/537.36 Vivaldi\/2.1.1\u2026", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.travis.yml", "evidence_snippet": "GET \/.travis.yml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Ge", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:38:25 UTC	TCP	8300 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8300 · (tentative d'exploit) · → /.htpasswd	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.htpasswd UA Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like G… Émulateur HTTP WAF 14 Recommandation Investiguer Tags 950470:nosqli-3 950522:leak-9 http_sensitive_path net_flood Cible HTTP GET /.htpasswd TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8300 Chemin / cible /.htpasswd Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « nosqli-3 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred Apache htpasswd LFI Apache htpasswd Ligne de requête `GET /.htpasswd HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.10240 Règles WAF nosqli-3 leak-9 Payload (extrait) GET /.htpasswd HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Requête brute (extrait) GET /.htpasswd HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.10240 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "htpasswd", "http_ua_hash": "1d1f517f0c4d83a6ee1edd950ae4abac782aea2c", "http_host_hash": "372950b7e517660af40b2015a2d8c9118c97a68c", "http_target_hash": "ade2de8d21551efb00f221b43821b4acb26b6f79", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 246, "payload_entropy": 5.366883736540818, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 64, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 64, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 56, "tag_count": 4, "anomaly_count": 0, "campaign_key": "4d60d1084499d372f47e3fdd8cb3765042f98aba", "event_fingerprint": "7f460608f9dc6c5e07c3cd542f673b41db24b2b0", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0469", "pat-0108" ], "matched_pattern_names": [ "Cred Apache htpasswd", "LFI Apache htpasswd" ], "pattern_ids": [ "pat-0469", "pat-0108" ], "confidence_breakdown": { "waf": 64, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "11ad370e5a0b9f0d2ae736b41231fe52", "payload_hash": "af4170b143f2d776c21655f89e8e4ce5", "path_pattern_hash": "229c0a4c773f5f9eeec1d298c58088ee" }, "target_context": { "dst_port": 8300, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko)", "method": "GET", "path": "\/.htpasswd", "user_agent": "Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.135 Safari\/537.36 Edge\/12.10240", "waf_tags": [ "950470:nosqli-3", "950522:leak-9" ], "waf_rule_names": [ "nosqli-3", "leak-9" ], "request_line": "GET \/.htpasswd HTTP\/1.1", "request_sample": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.135 Safari\/537.36 Edge\/12.10240\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko)", "evidence": { "method": "GET", "path": "\/.htpasswd", "user_agent": "Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.135 Safari\/537.36 Edge\/12.10240", "waf_tags": [ "950470:nosqli-3", "950522:leak-9" ], "waf_rule_names": [ "nosqli-3", "leak-9" ], "request_line": "GET \/.htpasswd HTTP\/1.1", "request_sample": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.135 Safari\/537.36 Edge\/12.10240\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko)", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "faf5b7dec7894c71e8598d0442e00fe618338b10", "protocol_details": { "http_method": "GET", "http_path": "\/.htpasswd", "request_line": "GET \/.htpasswd HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.135 Safari\/537.36 Edge\/12.10240", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko)", "attack_vector": "config file probe \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.htpasswd", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 64, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.htpasswd", "request_line": "GET \/.htpasswd HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.135 Safari\/537.36 Edge\/12.10240", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.htpasswd", "evidence_snippet": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko)", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 64 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950470:nosqli-3", "950522:leak-9", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:38:25 UTC	TCP	8300 · HTTP	http	Flood / DDoS http flood · via HTTP:8300 · (tentative d'exploit) · → /error.log	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /error.log UA Mozilla/5.0 (Linux; Android 9; ONEPLUS A6000) AppleWebKit/537.3… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /error.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8300 Chemin / cible /error.log Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Error log disclosure Ligne de requête `GET /error.log HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; ONEPLUS A6000) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /error.log HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Linux; Android 9; ONEPLUS A6000) AppleWebKit/537.36 (KH Requête brute (extrait) GET /error.log HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Linux; Android 9; ONEPLUS A6000) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "log", "http_ua_hash": "3da4867009ba48eea7334705c7277bfeb35664fc", "http_host_hash": "372950b7e517660af40b2015a2d8c9118c97a68c", "http_target_hash": "4bf2a42fc3c47a9cd3c9f83a2dcc96b460ea695c", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 255, "payload_entropy": 5.415072573056732, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "9891dbbfd9ef656d7c904161735163e513dcca83", "event_fingerprint": "db81a15d6d75d12f89ad9059beb20887c8da9046", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0115" ], "matched_pattern_names": [ "LFI Error log disclosure" ], "pattern_ids": [ "pat-0115" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "a587945ac46f7c95d48a6fee69d6e78d", "payload_hash": "d0c2813bf44a7446a782a27d6533fa5d", "path_pattern_hash": "377fe372f5c11075aea15748100afc0d" }, "target_context": { "dst_port": 8300, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/error.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6000) AppleWebKit\/537.36 (KH", "method": "GET", "path": "\/error.log", "user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6000) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/error.log HTTP\/1.1", "request_sample": "GET \/error.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6000) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/error.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6000) AppleWebKit\/537.36 (KH", "evidence": { "method": "GET", "path": "\/error.log", "user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6000) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/error.log HTTP\/1.1", "request_sample": "GET \/error.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6000) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/error.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6000) AppleWebKit\/537.36 (KH", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ccb61eb4bd8d89d1c94f5be1bb594a4d97c7e8a1", "protocol_details": { "http_method": "GET", "http_path": "\/error.log", "request_line": "GET \/error.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6000) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\u2026", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/error.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6000) AppleWebKit\/537.36 (KH", "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/error.log", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/error.log", "request_line": "GET \/error.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6000) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\u2026", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/error.log", "evidence_snippet": "GET \/error.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6000) AppleWebKit\/537.36 (KH", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:38:25 UTC	TCP	8300 · HTTP	http	Flood / DDoS http flood · via HTTP:8300 · (tentative d'exploit) · → /server.log	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /server.log UA Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like G… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /server.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8300 Chemin / cible /server.log Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /server.log HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1478.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /server.log HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko Requête brute (extrait) GET /server.log HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1478.0 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "log", "http_ua_hash": "bcd9515135b2b38273255169504ce7814fcefdc2", "http_host_hash": "372950b7e517660af40b2015a2d8c9118c97a68c", "http_target_hash": "437770240dcc724c5033b3c158c576b84dde4de1", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 231, "payload_entropy": 5.396201162613899, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "9891dbbfd9ef656d7c904161735163e513dcca83", "event_fingerprint": "fa7f8259113c3d4bd3c3bee85531482707fa50fb", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ed6246ba1d94277a15a85327855f9593", "payload_hash": "5308666f16bd9428e4576b505beea88e", "path_pattern_hash": "1bb66c038c973622f0056a763496f9ef" }, "target_context": { "dst_port": 8300, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/server.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko", "method": "GET", "path": "\/server.log", "user_agent": "Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/28.0.1478.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/server.log HTTP\/1.1", "request_sample": "GET \/server.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/28.0.1478.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/server.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko", "evidence": { "method": "GET", "path": "\/server.log", "user_agent": "Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/28.0.1478.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/server.log HTTP\/1.1", "request_sample": "GET \/server.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/28.0.1478.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/server.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5b8e8af05af57a21b30dc565a2f7c22c4af71a1f", "protocol_details": { "http_method": "GET", "http_path": "\/server.log", "request_line": "GET \/server.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/28.0.1478.0 Safari\/537.36", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/server.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko", "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server.log", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/server.log", "request_line": "GET \/server.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/28.0.1478.0 Safari\/537.36", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server.log", "evidence_snippet": "GET \/server.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:38:25 UTC	TCP	8300 · HTTP	http	Flood / DDoS http flood · via HTTP:8300 · (tentative d'exploit) · → /log/error.log	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /log/error.log UA Mozilla/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-T537A Build/KOT49… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_log Cible HTTP GET /log/error.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8300 Chemin / cible /log/error.log Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Error log disclosure Ligne de requête `GET /log/error.log HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-T537A Build/KOT49H) AppleWebKit/537.36 (KHTML like Gecko) Chrome/35.0.1916.141 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /log/error.log HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-T537A Build/KOT49H Requête brute (extrait) GET /log/error.log HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-T537A Build/KOT49H) AppleWebKit/537.36 (KHTML like Gecko) Chrome/35.0.1916.141 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connec Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "log", "http_ua_hash": "7349d262ad3577b56538fe398db8741e5d807dfe", "http_host_hash": "372950b7e517660af40b2015a2d8c9118c97a68c", "http_target_hash": "fc50733d76409093f90f46513edc67564b2421cb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 271, "payload_entropy": 5.462832133888913, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.4, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 5, "anomaly_count": 0, "campaign_key": "dd476363e8cc822509431fbc014a84db6cc97556", "event_fingerprint": "29730d266ef4bd88b05b97c64ece0c807e5d4c67", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0115" ], "matched_pattern_names": [ "LFI Error log disclosure" ], "pattern_ids": [ "pat-0115" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "7f034b719a5c9752b73899fdf29a6695", "payload_hash": "3792314afda40641497c6ef1c74a5121", "path_pattern_hash": "a4d176701e2b21dd6deff557491aab03" }, "target_context": { "dst_port": 8300, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/log\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-T537A Build\/KOT49H", "method": "GET", "path": "\/log\/error.log", "user_agent": "Mozilla\/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-T537A Build\/KOT49H) AppleWebKit\/537.36 (KHTML like Gecko) Chrome\/35.0.1916.141 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/log\/error.log HTTP\/1.1", "request_sample": "GET \/log\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-T537A Build\/KOT49H) AppleWebKit\/537.36 (KHTML like Gecko) Chrome\/35.0.1916.141 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnec", "payload_snippet": "GET \/log\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-T537A Build\/KOT49H", "evidence": { "method": "GET", "path": "\/log\/error.log", "user_agent": "Mozilla\/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-T537A Build\/KOT49H) AppleWebKit\/537.36 (KHTML like Gecko) Chrome\/35.0.1916.141 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/log\/error.log HTTP\/1.1", "request_sample": "GET \/log\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-T537A Build\/KOT49H) AppleWebKit\/537.36 (KHTML like Gecko) Chrome\/35.0.1916.141 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnec", "payload_snippet": "GET \/log\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-T537A Build\/KOT49H", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "48d27d4d73a1c9b34f92704b367b84721b1d861f", "protocol_details": { "http_method": "GET", "http_path": "\/log\/error.log", "request_line": "GET \/log\/error.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-T537A Build\/KOT49H) AppleWebKit\/537.36 (KHTML like Gecko) Chrome\/35.0.191\u2026", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/log\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-T537A Build\/KOT49H", "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/log\/error.log", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/log\/error.log", "request_line": "GET \/log\/error.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-T537A Build\/KOT49H) AppleWebKit\/537.36 (KHTML like Gecko) Chrome\/35.0.191\u2026", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/log\/error.log", "evidence_snippet": "GET \/log\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-T537A Build\/KOT49H", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_log", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:38:25 UTC	TCP	8300 · HTTP	http	Flood / DDoS http flood · via HTTP:8300 · (tentative d'exploit) · → /.htaccess	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.htaccess UA Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Ge… Émulateur HTTP WAF 6 Recommandation Investiguer Tags 950470:nosqli-3 http_sensitive_path net_flood Cible HTTP GET /.htaccess TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8300 Chemin / cible /.htaccess Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 51 Confiance : Confiance 100 % — 1 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Apache htaccess Ligne de requête `GET /.htaccess HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 YaBrowser/17.3.0.1785 Yowser/2.5 Safari/537.36 Règles WAF nosqli-3 Payload (extrait) GET /.htaccess HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Requête brute (extrait) GET /.htaccess HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 YaBrowser/17.3.0.1785 Yowser/2.5 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: cl Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "htaccess", "http_ua_hash": "22a358cccea2daf46b8f0e0a52733ee09291d8ab", "http_host_hash": "372950b7e517660af40b2015a2d8c9118c97a68c", "http_target_hash": "3450b1e7f2decdc58edd085ce04b19bc7f5d6fac", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 263, "payload_entropy": 5.386900299305573, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 32, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 51, "tag_count": 3, "anomaly_count": 0, "campaign_key": "7ae7f192109427fa04c51c14713602788fb358d9", "event_fingerprint": "74462650d1a99b8339b0926dbcc7f71e60db2e11", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0107" ], "matched_pattern_names": [ "LFI Apache htaccess" ], "pattern_ids": [ "pat-0107" ], "confidence_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "5df81b5f983af6e14df6d7ffadcccd84", "payload_hash": "0206b2f23f49c3db8a9e188dc50fd6de", "path_pattern_hash": "4c27678faebafe822ea78c9ea1cb1efa" }, "target_context": { "dst_port": 8300, "service": "http", "service_name": "http", "risk_score": 51 }, "payload_preview": "GET \/.htaccess HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko) ", "method": "GET", "path": "\/.htaccess", "user_agent": "Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/56.0.2924.87 YaBrowser\/17.3.0.1785 Yowser\/2.5 Safari\/537.36", "waf_tags": [ "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/.htaccess HTTP\/1.1", "request_sample": "GET \/.htaccess HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/56.0.2924.87 YaBrowser\/17.3.0.1785 Yowser\/2.5 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl", "payload_snippet": "GET \/.htaccess HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko)", "evidence": { "method": "GET", "path": "\/.htaccess", "user_agent": "Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/56.0.2924.87 YaBrowser\/17.3.0.1785 Yowser\/2.5 Safari\/537.36", "waf_tags": [ "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/.htaccess HTTP\/1.1", "request_sample": "GET \/.htaccess HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/56.0.2924.87 YaBrowser\/17.3.0.1785 Yowser\/2.5 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl", "payload_snippet": "GET \/.htaccess HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko)", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "807a2b2baa8c705da1026375e2068253060b4b32", "protocol_details": { "http_method": "GET", "http_path": "\/.htaccess", "request_line": "GET \/.htaccess HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/56.0.2924.87 YaBrowser\/17.3.0.1785 Yowser\/2.\u2026", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.htaccess HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko)", "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.htaccess", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.htaccess", "request_line": "GET \/.htaccess HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/56.0.2924.87 YaBrowser\/17.3.0.1785 Yowser\/2.\u2026", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.htaccess", "evidence_snippet": "GET \/.htaccess HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko)", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 1 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:38:25 UTC	TCP	8300 · HTTP	http	Flood / DDoS http flood · via HTTP:8300 · (tentative d'exploit) · → /logs/app.log	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /logs/app.log UA Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browse… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 http_probe_logs net_flood Cible HTTP GET /logs/app.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8300 Chemin / cible /logs/app.log Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /logs/app.log HTTP/1.1` User-Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser; Avant Browser; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) Règles WAF rce-0 nosqli-3 Payload (extrait) GET /logs/app.log HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser; Requête brute (extrait) GET /logs/app.log HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser; Avant Browser; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) Accept-Ch Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "log", "http_ua_hash": "c8f58d748399180805eaaeee0454038e043d96b9", "http_host_hash": "372950b7e517660af40b2015a2d8c9118c97a68c", "http_target_hash": "d0b8b644029ba159087a417f2e8eafdc14fc0ddb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 314, "payload_entropy": 5.291232334269305, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 56, "tag_count": 4, "anomaly_count": 0, "campaign_key": "17bfaae556d1dd41f2a9357f629da3a2fcc1ebe0", "event_fingerprint": "340be58324ca60963573fdc327153ed72e37bc6a", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "28ca8b6fccda72430248080823299054", "payload_hash": "579c9a2ab06ba8cec39eebd998a8d4ed", "path_pattern_hash": "1ee40b92eb3b65f75911cb662d7e1127" }, "target_context": { "dst_port": 8300, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/logs\/app.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser;", "method": "GET", "path": "\/logs\/app.log", "user_agent": "Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser; Avant Browser; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/logs\/app.log HTTP\/1.1", "request_sample": "GET \/logs\/app.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser; Avant Browser; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)\r\nAccept-Ch", "payload_snippet": "GET \/logs\/app.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser;", "evidence": { "method": "GET", "path": "\/logs\/app.log", "user_agent": "Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser; Avant Browser; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/logs\/app.log HTTP\/1.1", "request_sample": "GET \/logs\/app.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser; Avant Browser; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)\r\nAccept-Ch", "payload_snippet": "GET \/logs\/app.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser;", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "471711609aa842778c810b7a00ae6bd00710fd21", "protocol_details": { "http_method": "GET", "http_path": "\/logs\/app.log", "request_line": "GET \/logs\/app.log HTTP\/1.1", "http_user_agent": "Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser; Avant Browser; .NET CLR 1.0.3705; .NET CLR 1.1.4322; \u2026", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/logs\/app.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser;", "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/logs\/app.log", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/logs\/app.log", "request_line": "GET \/logs\/app.log HTTP\/1.1", "http_user_agent": "Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser; Avant Browser; .NET CLR 1.0.3705; .NET CLR 1.1.4322; \u2026", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/logs\/app.log", "evidence_snippet": "GET \/logs\/app.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser;", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "http_probe_logs", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:38:25 UTC	TCP	8300 · HTTP	http	Flood / DDoS http flood · via HTTP:8300 · (tentative d'exploit) · → /logs/error.log	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /logs/error.log UA Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_logs Cible HTTP GET /logs/error.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8300 Chemin / cible /logs/error.log Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Error log disclosure Ligne de requête `GET /logs/error.log HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /logs/error.log HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KH Requête brute (extrait) GET /logs/error.log HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "log", "http_ua_hash": "09f11b865b896102248adea5ce94ccedb8166ac9", "http_host_hash": "372950b7e517660af40b2015a2d8c9118c97a68c", "http_target_hash": "9d5f558e73ca716aa21e27c6081370ba7dda563b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 248, "payload_entropy": 5.3767247621475205, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.4, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 5, "anomaly_count": 0, "campaign_key": "1683e831fc0350c5d0d0cc30427b0d082da2ae0c", "event_fingerprint": "cfe34ae151de1000255189640a407e85e759f6b0", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0115" ], "matched_pattern_names": [ "LFI Error log disclosure" ], "pattern_ids": [ "pat-0115" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "87a8a07d296e5a4eff8dbc24028b7ee4", "payload_hash": "0c88c657533ea412b4f41a53349bf87f", "path_pattern_hash": "11a7dc2316512e9b8311ac327e383bb9" }, "target_context": { "dst_port": 8300, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/logs\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KH", "method": "GET", "path": "\/logs\/error.log", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.110 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/logs\/error.log HTTP\/1.1", "request_sample": "GET \/logs\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.110 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/logs\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KH", "evidence": { "method": "GET", "path": "\/logs\/error.log", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.110 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/logs\/error.log HTTP\/1.1", "request_sample": "GET \/logs\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.110 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/logs\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KH", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7389388b39d4f07c78eaf5d85c8ad23e779d929f", "protocol_details": { "http_method": "GET", "http_path": "\/logs\/error.log", "request_line": "GET \/logs\/error.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.110 Safari\/537.36", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/logs\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KH", "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/logs\/error.log", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/logs\/error.log", "request_line": "GET \/logs\/error.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.110 Safari\/537.36", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/logs\/error.log", "evidence_snippet": "GET \/logs\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KH", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_logs", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:38:25 UTC	TCP	8300 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8300 · (tentative d'exploit) · → /nginx.conf	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /nginx.conf UA Mozilla/5.0 (Linux; Android 7.0; ASUS_X00GD) AppleWebKit/537.36… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_sensitive_path net_flood Cible HTTP GET /nginx.conf TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8300 Chemin / cible /nginx.conf Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /nginx.conf HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 7.0; ASUS_X00GD) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /nginx.conf HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Linux; Android 7.0; ASUS_X00GD) AppleWebKit/537.36 (KH Requête brute (extrait) GET /nginx.conf HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Linux; Android 7.0; ASUS_X00GD) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "conf", "http_ua_hash": "333932a90b4d16c161a62d64d6a22e4578152419", "http_host_hash": "372950b7e517660af40b2015a2d8c9118c97a68c", "http_target_hash": "845c3b2b5656c277525928bf4edf7c41919ad7fa", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 255, "payload_entropy": 5.429085887089624, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 60, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 55, "tag_count": 4, "anomaly_count": 0, "campaign_key": "0271568d0c06e1a5922819bc957ea302a710b8fa", "event_fingerprint": "009ad761df0ee909319d65ddffca861111926236", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "da7367132fe49d53d9bbfff09b73156d", "payload_hash": "766479ea011ec3d549f84e17f58c4223", "path_pattern_hash": "80f5fa98cca489e2cf5aa551565e088f" }, "target_context": { "dst_port": 8300, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/nginx.conf HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; ASUS_X00GD) AppleWebKit\/537.36 (KH", "method": "GET", "path": "\/nginx.conf", "user_agent": "Mozilla\/5.0 (Linux; Android 7.0; ASUS_X00GD) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/nginx.conf HTTP\/1.1", "request_sample": "GET \/nginx.conf HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; ASUS_X00GD) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/nginx.conf HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; ASUS_X00GD) AppleWebKit\/537.36 (KH", "evidence": { "method": "GET", "path": "\/nginx.conf", "user_agent": "Mozilla\/5.0 (Linux; Android 7.0; ASUS_X00GD) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/nginx.conf HTTP\/1.1", "request_sample": "GET \/nginx.conf HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; ASUS_X00GD) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/nginx.conf HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; ASUS_X00GD) AppleWebKit\/537.36 (KH", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ee4045e8ef42d1ff60c879e5b099f50036984f8d", "protocol_details": { "http_method": "GET", "http_path": "\/nginx.conf", "request_line": "GET \/nginx.conf HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.0; ASUS_X00GD) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/\u2026", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/nginx.conf HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; ASUS_X00GD) AppleWebKit\/537.36 (KH", "attack_vector": "config file probe \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/nginx.conf", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/nginx.conf", "request_line": "GET \/nginx.conf HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.0; ASUS_X00GD) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/\u2026", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/nginx.conf", "evidence_snippet": "GET \/nginx.conf HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; ASUS_X00GD) AppleWebKit\/537.36 (KH", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:38:25 UTC	TCP	8300 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8300 · (tentative d'exploit) · → /.gitconfig	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.gitconfig UA Mozilla/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleW… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_sensitive_path net_flood Cible HTTP GET /.gitconfig TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8300 Chemin / cible /.gitconfig Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.gitconfig HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.gitconfig HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKi Requête brute (extrait) GET /.gitconfig HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "gitconfig", "http_ua_hash": "4737e24dda37aab369cbf3ed897e4ff429612299", "http_host_hash": "372950b7e517660af40b2015a2d8c9118c97a68c", "http_target_hash": "4552edeb48a162af2c0944497328c6fed5ef02ec", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 267, "payload_entropy": 5.347661175570527, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 60, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 55, "tag_count": 4, "anomaly_count": 0, "campaign_key": "0271568d0c06e1a5922819bc957ea302a710b8fa", "event_fingerprint": "af1b4106025bc6dfc908a227daf0b7a1f8923a0b", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "62524c20a1e6cdfa5b4f1f9883764e3c", "payload_hash": "e992d29d53876fbcf1f969aac035472b", "path_pattern_hash": "15182e65e3e4c28fd6667d0a76628de0" }, "target_context": { "dst_port": 8300, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/.gitconfig HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKi", "method": "GET", "path": "\/.gitconfig", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0 Mobile\/15E148 Safari\/604.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.gitconfig HTTP\/1.1", "request_sample": "GET \/.gitconfig HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0 Mobile\/15E148 Safari\/604.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection", "payload_snippet": "GET \/.gitconfig HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKi", "evidence": { "method": "GET", "path": "\/.gitconfig", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0 Mobile\/15E148 Safari\/604.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.gitconfig HTTP\/1.1", "request_sample": "GET \/.gitconfig HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0 Mobile\/15E148 Safari\/604.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection", "payload_snippet": "GET \/.gitconfig HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKi", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a868c747d762521d5a37fdb2f8036f61e377ea92", "protocol_details": { "http_method": "GET", "http_path": "\/.gitconfig", "request_line": "GET \/.gitconfig HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0 Mobile\/1\u2026", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.gitconfig HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKi", "attack_vector": "config file probe \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.gitconfig", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.gitconfig", "request_line": "GET \/.gitconfig HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0 Mobile\/1\u2026", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.gitconfig", "evidence_snippet": "GET \/.gitconfig HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKi", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:38:25 UTC	TCP	8300 · HTTP	http	Flood / DDoS http flood · via HTTP:8300 · (tentative d'exploit) · → /nginx.config	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /nginx.config UA Mozilla/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit/53… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /nginx.config TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8300 Chemin / cible /nginx.config Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /nginx.config HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /nginx.config HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit/537. Requête brute (extrait) GET /nginx.config HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clos Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "config", "http_ua_hash": "50fa0e84739a53ff2ca339a8b3f9d6e15da14af9", "http_host_hash": "372950b7e517660af40b2015a2d8c9118c97a68c", "http_target_hash": "e275586080f0f32618bdbe0c80334164416e3043", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 261, "payload_entropy": 5.376130640698434, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "da0e92cd0ebb085b51990a0223f84b28a1dbd99e", "event_fingerprint": "7ea00323cb3e990bf1654de734c252e72ea1ce16", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "dba530ae9f5fa9a0b9739d7895f5e92b", "payload_hash": "a12be306e796003de65867ec8a7137e7", "path_pattern_hash": "80871f7e109ea9867fd6173c2b32059b" }, "target_context": { "dst_port": 8300, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/nginx.config HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit\/537.", "method": "GET", "path": "\/nginx.config", "user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/nginx.config HTTP\/1.1", "request_sample": "GET \/nginx.config HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/nginx.config HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit\/537.", "evidence": { "method": "GET", "path": "\/nginx.config", "user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/nginx.config HTTP\/1.1", "request_sample": "GET \/nginx.config HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/nginx.config HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit\/537.", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8f86633a1a70c09fc1d410e6673ea36eb0d8aa09", "protocol_details": { "http_method": "GET", "http_path": "\/nginx.config", "request_line": "GET \/nginx.config HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Saf\u2026", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/nginx.config HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit\/537.", "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/nginx.config", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/nginx.config", "request_line": "GET \/nginx.config HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Saf\u2026", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/nginx.config", "evidence_snippet": "GET \/nginx.config HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit\/537.", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:38:25 UTC	TCP	8300 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8300 · (tentative d'exploit) · → /web.config	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /web.config UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_sensitive_path net_flood Cible HTTP GET /web.config TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8300 Chemin / cible /web.config Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI IIS web.config Ligne de requête `GET /web.config HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3864.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /web.config HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 Requête brute (extrait) GET /web.config HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3864.0 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "config", "http_ua_hash": "1896e5d31aed0895333adce2aab12f31af8d046e", "http_host_hash": "372950b7e517660af40b2015a2d8c9118c97a68c", "http_target_hash": "fb61e36fe9095535f127e3353d957f1c1310e8e9", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 249, "payload_entropy": 5.4038436525630615, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 60, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 55, "tag_count": 4, "anomaly_count": 0, "campaign_key": "0271568d0c06e1a5922819bc957ea302a710b8fa", "event_fingerprint": "030da2335d37b944f7249fba4230642477c0927b", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0120" ], "matched_pattern_names": [ "LFI IIS web.config" ], "pattern_ids": [ "pat-0120" ], "confidence_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "74e2590229afff988dd1760f7b919b7e", "payload_hash": "c4e5e6037ccda7d22567b06bfd165091", "path_pattern_hash": "0913647d7e838cdd727ceda37a671f37" }, "target_context": { "dst_port": 8300, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 ", "method": "GET", "path": "\/web.config", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3864.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/web.config HTTP\/1.1", "request_sample": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3864.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/web.config", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3864.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/web.config HTTP\/1.1", "request_sample": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3864.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "edca52863f1e39ac1795438bc1db87bcc14acba6", "protocol_details": { "http_method": "GET", "http_path": "\/web.config", "request_line": "GET \/web.config HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3864.0 Safari\/537.36", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36", "attack_vector": "config file probe \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/web.config", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/web.config", "request_line": "GET \/web.config HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3864.0 Safari\/537.36", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/web.config", "evidence_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:38:25 UTC	TCP	8300 · HTTP	http	Flood / DDoS http flood · via HTTP:8300 · (tentative d'exploit) · → /server.xml	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /server.xml UA Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /server.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8300 Chemin / cible /server.xml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Tomcat server.xml Ligne de requête `GET /server.xml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /server.xml HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /server.xml HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "xml", "http_ua_hash": "10496a6f85d28b4ce3f2a892875f6c0433533770", "http_host_hash": "372950b7e517660af40b2015a2d8c9118c97a68c", "http_target_hash": "524717bd951511cea8642b855a654b176416ff2d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 244, "payload_entropy": 5.414814375612094, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "da0e92cd0ebb085b51990a0223f84b28a1dbd99e", "event_fingerprint": "0dff7f8125dd6aed43eeefdd275e44c951eca9d6", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0133" ], "matched_pattern_names": [ "LFI Tomcat server.xml" ], "pattern_ids": [ "pat-0133" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "94b52ab3af63ba872d9f4116b47e7695", "payload_hash": "e3232e10c588e078f388d6d73b4ef623", "path_pattern_hash": "d4d89f4ec79feb80a890ebb7bb0f42f9" }, "target_context": { "dst_port": 8300, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/server.xml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML,", "method": "GET", "path": "\/server.xml", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.181 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/server.xml HTTP\/1.1", "request_sample": "GET \/server.xml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.181 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/server.xml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/server.xml", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.181 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/server.xml HTTP\/1.1", "request_sample": "GET \/server.xml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.181 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/server.xml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2e42bea1690bea0c0da17d3fc31388fc085594b6", "protocol_details": { "http_method": "GET", "http_path": "\/server.xml", "request_line": "GET \/server.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.181 Safari\/537.36", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/server.xml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML,", "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server.xml", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/server.xml", "request_line": "GET \/server.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.181 Safari\/537.36", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server.xml", "evidence_snippet": "GET \/server.xml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML,", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:38:25 UTC	TCP	8300 · HTTP	http	Flood / DDoS http flood · via HTTP:8300 · (tentative d'exploit) · → /.netrc	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.netrc UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /.netrc TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8300 Chemin / cible /.netrc Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred Netrc credentials Ligne de requête `GET /.netrc HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.netrc HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTM Requête brute (extrait) GET /.netrc HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "netrc", "http_ua_hash": "dd6e6af37a0921245cb5c0e89e13f95f92998f0e", "http_host_hash": "372950b7e517660af40b2015a2d8c9118c97a68c", "http_target_hash": "b7551dc22135c68ecee0a4d011ec4c0b7c771e06", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 246, "payload_entropy": 5.3785434063881015, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "da0e92cd0ebb085b51990a0223f84b28a1dbd99e", "event_fingerprint": "4217c5dfb03565695f3444cd3c7401362607c318", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0482" ], "matched_pattern_names": [ "Cred Netrc credentials" ], "pattern_ids": [ "pat-0482" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d1cd53b494d07bf5f7c82c1c2eb07beb", "payload_hash": "afc1dfbefb18537d3b333aac8e27fb44", "path_pattern_hash": "5fa317981ba713f7d39164540951d6bb" }, "target_context": { "dst_port": 8300, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit\/537.36 (KHTM", "method": "GET", "path": "\/.netrc", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.181 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.netrc HTTP\/1.1", "request_sample": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.181 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit\/537.36 (KHTM", "evidence": { "method": "GET", "path": "\/.netrc", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.181 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.netrc HTTP\/1.1", "request_sample": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.181 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit\/537.36 (KHTM", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "57932683306f924b6266c89e0709bb3f8bf2a8e6", "protocol_details": { "http_method": "GET", "http_path": "\/.netrc", "request_line": "GET \/.netrc HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.181 Safari\/537.36", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit\/537.36 (KHTM", "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.netrc", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.netrc", "request_line": "GET \/.netrc HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.181 Safari\/537.36", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.netrc", "evidence_snippet": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit\/537.36 (KHTM", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:38:25 UTC	TCP	8300 · HTTP	http	Flood / DDoS http flood · via HTTP:8300 · (tentative d'exploit) · → /private_key.pem	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /private_key.pem UA Mozilla/5.0 (BeOS; U; BeOS BePC; en-US; rv:1.9a1) Gecko/2006070… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_sensitive_path net_flood Cible HTTP GET /private_key.pem TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8300 Chemin / cible /private_key.pem Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /private_key.pem HTTP/1.1` User-Agent Mozilla/5.0 (BeOS; U; BeOS BePC; en-US; rv:1.9a1) Gecko/20060702 SeaMonkey/1.5a Règles WAF rce-0 nosqli-3 Payload (extrait) GET /private_key.pem HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (BeOS; U; BeOS BePC; en-US; rv:1.9a1) Gecko/200607 Requête brute (extrait) GET /private_key.pem HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (BeOS; U; BeOS BePC; en-US; rv:1.9a1) Gecko/20060702 SeaMonkey/1.5a Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "pem", "http_ua_hash": "a6ef6e45b825f5e304eaa7649ee456be97b6c57e", "http_host_hash": "372950b7e517660af40b2015a2d8c9118c97a68c", "http_target_hash": "0f51bc792d6f938bb82ea19d1935c3464eb59ea8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 214, "payload_entropy": 5.338889729407035, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 56, "tag_count": 4, "anomaly_count": 0, "campaign_key": "47e094767cd5c3e8a421967685dac8891edf67a0", "event_fingerprint": "c96bbdeae190fbc20f34fcaf6bae0c959a115bde", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "435d9581a2d9c6b08bcdeeb67bcd1df6", "payload_hash": "41c220f2ba2767d961126c350eae0257", "path_pattern_hash": "fb2942fad108fb946e981f9671efa9dc" }, "target_context": { "dst_port": 8300, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/private_key.pem HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (BeOS; U; BeOS BePC; en-US; rv:1.9a1) Gecko\/200607", "method": "GET", "path": "\/private_key.pem", "user_agent": "Mozilla\/5.0 (BeOS; U; BeOS BePC; en-US; rv:1.9a1) Gecko\/20060702 SeaMonkey\/1.5a", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/private_key.pem HTTP\/1.1", "request_sample": "GET \/private_key.pem HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (BeOS; U; BeOS BePC; en-US; rv:1.9a1) Gecko\/20060702 SeaMonkey\/1.5a\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/private_key.pem HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (BeOS; U; BeOS BePC; en-US; rv:1.9a1) Gecko\/200607", "evidence": { "method": "GET", "path": "\/private_key.pem", "user_agent": "Mozilla\/5.0 (BeOS; U; BeOS BePC; en-US; rv:1.9a1) Gecko\/20060702 SeaMonkey\/1.5a", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/private_key.pem HTTP\/1.1", "request_sample": "GET \/private_key.pem HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (BeOS; U; BeOS BePC; en-US; rv:1.9a1) Gecko\/20060702 SeaMonkey\/1.5a\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/private_key.pem HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (BeOS; U; BeOS BePC; en-US; rv:1.9a1) Gecko\/200607", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "813ef346d04d9ad72831411d00958325cf7a1bc5", "protocol_details": { "http_method": "GET", "http_path": "\/private_key.pem", "request_line": "GET \/private_key.pem HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (BeOS; U; BeOS BePC; en-US; rv:1.9a1) Gecko\/20060702 SeaMonkey\/1.5a", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/private_key.pem HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (BeOS; U; BeOS BePC; en-US; rv:1.9a1) Gecko\/200607", "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/private_key.pem", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/private_key.pem", "request_line": "GET \/private_key.pem HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (BeOS; U; BeOS BePC; en-US; rv:1.9a1) Gecko\/20060702 SeaMonkey\/1.5a", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/private_key.pem", "evidence_snippet": "GET \/private_key.pem HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (BeOS; U; BeOS BePC; en-US; rv:1.9a1) Gecko\/200607", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:38:25 UTC	TCP	8300 · HTTP	http	Flood / DDoS http flood · via HTTP:8300 · (tentative d'exploit) · → /.bash_history	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.bash_history UA Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_sensitive_path net_flood Cible HTTP GET /.bash_history TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8300 Chemin / cible /.bash_history Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Bash history Ligne de requête `GET /.bash_history HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.bash_history HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/ Requête brute (extrait) GET /.bash_history HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "bash_history", "http_ua_hash": "e596f3886a524289afe7da407c4c19cb47348c57", "http_host_hash": "372950b7e517660af40b2015a2d8c9118c97a68c", "http_target_hash": "3740e867d7aba2aaaf44f99aaa36772f226b5d91", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 201, "payload_entropy": 5.332244427416488, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 56, "tag_count": 4, "anomaly_count": 0, "campaign_key": "47e094767cd5c3e8a421967685dac8891edf67a0", "event_fingerprint": "d81e83be2809db8c6fbf6b74c495b8c7a4811d7f", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0109" ], "matched_pattern_names": [ "LFI Bash history" ], "pattern_ids": [ "pat-0109" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "dec4fdf6408be2ff275246ae930c1855", "payload_hash": "13dd4f7821d1f9e3306f84f48b888639", "path_pattern_hash": "70ca8eb80ffbde2088a35c267977e4d4" }, "target_context": { "dst_port": 8300, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/.bash_history HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:55.0) Gecko\/20100101 Firefox\/", "method": "GET", "path": "\/.bash_history", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:55.0) Gecko\/20100101 Firefox\/55.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.bash_history HTTP\/1.1", "request_sample": "GET \/.bash_history HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:55.0) Gecko\/20100101 Firefox\/55.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.bash_history HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:55.0) Gecko\/20100101 Firefox\/", "evidence": { "method": "GET", "path": "\/.bash_history", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:55.0) Gecko\/20100101 Firefox\/55.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.bash_history HTTP\/1.1", "request_sample": "GET \/.bash_history HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:55.0) Gecko\/20100101 Firefox\/55.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.bash_history HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:55.0) Gecko\/20100101 Firefox\/", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "abd06df3fc117f9eb10690e1c4330820791dbbbe", "protocol_details": { "http_method": "GET", "http_path": "\/.bash_history", "request_line": "GET \/.bash_history HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:55.0) Gecko\/20100101 Firefox\/55.0", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.bash_history HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:55.0) Gecko\/20100101 Firefox\/", "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.bash_history", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.bash_history", "request_line": "GET \/.bash_history HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:55.0) Gecko\/20100101 Firefox\/55.0", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.bash_history", "evidence_snippet": "GET \/.bash_history HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:55.0) Gecko\/20100101 Firefox\/", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:38:25 UTC	TCP	8300 · HTTP	http	Flood / DDoS http flood · via HTTP:8300 · (tentative d'exploit) · → /.npmrc	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.npmrc UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /.npmrc TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8300 Chemin / cible /.npmrc Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred NPM credentials Ligne de requête `GET /.npmrc HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.npmrc HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Requête brute (extrait) GET /.npmrc HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "npmrc", "http_ua_hash": "ea4fa585ac15d157c47f34ea7de09f788feba735", "http_host_hash": "372950b7e517660af40b2015a2d8c9118c97a68c", "http_target_hash": "e47e720fc12387d6362d15cf56ef7f004f4a216f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 230, "payload_entropy": 5.421198091360923, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "da0e92cd0ebb085b51990a0223f84b28a1dbd99e", "event_fingerprint": "5e66d7bfba9f8925fc34ff527b1577015194330b", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0481" ], "matched_pattern_names": [ "Cred NPM credentials" ], "pattern_ids": [ "pat-0481" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d82cefaf22eda39f47cd4260363c44b1", "payload_hash": "9f9b93ef48fd807ef7b27e679e445b4f", "path_pattern_hash": "7643d037b83b1eb932659ed1ccb7e4fe" }, "target_context": { "dst_port": 8300, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/.npmrc HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) ", "method": "GET", "path": "\/.npmrc", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.75 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.npmrc HTTP\/1.1", "request_sample": "GET \/.npmrc HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.75 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.npmrc HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko)", "evidence": { "method": "GET", "path": "\/.npmrc", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.75 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.npmrc HTTP\/1.1", "request_sample": "GET \/.npmrc HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.75 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.npmrc HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko)", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c643ed68f143866a9476abd3b53042e27cbf83a7", "protocol_details": { "http_method": "GET", "http_path": "\/.npmrc", "request_line": "GET \/.npmrc HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.75 Safari\/537.36", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.npmrc HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko)", "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.npmrc", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.npmrc", "request_line": "GET \/.npmrc HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.75 Safari\/537.36", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.npmrc", "evidence_snippet": "GET \/.npmrc HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko)", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:38:25 UTC	TCP	8300 · HTTP	http	Sonde fichier credential / clé credential file probe · via HTTP:8300 · (tentative d'exploit) · → /id_rsa	Élevée	Moyen · 57
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /id_rsa UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_sensitive_path net_flood Cible HTTP GET /id_rsa TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8300 Chemin / cible /id_rsa Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier credential/clé · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 57 Confiance : Confiance 100 % — Motif catalogue confirmé · 2 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-credential-file pat-0495 Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred SSH private key id_rsa Ligne de requête `GET /id_rsa HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3880.4 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /id_rsa HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHT Requête brute (extrait) GET /id_rsa HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3880.4 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "b746ffea81a2fa3b537e36b4ade1aba43f04765f", "http_host_hash": "372950b7e517660af40b2015a2d8c9118c97a68c", "http_target_hash": "e7082bf89fb3315806e7ae6952f0a88884c69468", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 245, "payload_entropy": 5.405758586969764, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 60, "risk_classification": 82, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 60, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 57, "tag_count": 4, "anomaly_count": 0, "campaign_key": "47e094767cd5c3e8a421967685dac8891edf67a0", "event_fingerprint": "7a6bd0154767867fc21441fb21996642ab1ab95b", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 225, "precision_signals": [ "SIGMA-web-credential-file", "pat-0495", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-credential-file", "pat-0495", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0495" ], "matched_pattern_names": [ "Cred SSH private key id_rsa" ], "pattern_ids": [ "pat-0495" ], "confidence_breakdown": { "waf": 60, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 57, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "lfi_attack", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "bb9f65bd8af7a3b91ac0ca15df58e880", "payload_hash": "182c6a02df40228758ef3654fefc80e9", "path_pattern_hash": "7db94f5d7ea5ac98ea13d8c61becd367" }, "target_context": { "dst_port": 8300, "service": "http", "service_name": "http", "risk_score": 57 }, "payload_preview": "GET \/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHT", "method": "GET", "path": "\/id_rsa", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.4 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/id_rsa HTTP\/1.1", "request_sample": "GET \/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.4 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHT", "evidence": { "method": "GET", "path": "\/id_rsa", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.4 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/id_rsa HTTP\/1.1", "request_sample": "GET \/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.4 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHT", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c9fc8b45b63a1c5332fbd306ecfef848a566be83", "protocol_details": { "http_method": "GET", "http_path": "\/id_rsa", "request_line": "GET \/id_rsa HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.4 Safari\/537.36", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHT", "attack_vector": "credential file probe \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/id_rsa", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 57, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 57, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-credential-file", "pat-0495", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-credential-file", "pat-0495", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/id_rsa", "request_line": "GET \/id_rsa HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.4 Safari\/537.36", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "credential file probe \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/id_rsa", "evidence_snippet": "GET \/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHT", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:38:25 UTC	TCP	8300 · HTTP	http	Flood / DDoS http flood · via HTTP:8300 · (tentative d'exploit) · → /private.key	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /private.key UA Mozilla/5.0 (X11; Linux i686 (x86_64)) AppleWebKit/537.36 (KHTM… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /private.key TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8300 Chemin / cible /private.key Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /private.key HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux i686 (x86_64)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /private.key HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (X11; Linux i686 (x86_64)) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /private.key HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (X11; Linux i686 (x86_64)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "key", "http_ua_hash": "dbc300a2fdbce9356ecb24ee11e2ee1d42c7eee0", "http_host_hash": "372950b7e517660af40b2015a2d8c9118c97a68c", "http_target_hash": "778f1a2da806bd5e8dfbe960a44247fae7b2ad06", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 243, "payload_entropy": 5.441001367303205, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "da0e92cd0ebb085b51990a0223f84b28a1dbd99e", "event_fingerprint": "613fce8f293dd97289ba8aeab39b684e8327459b", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f87bfe70fdc910a1c65033b3ad50ee97", "payload_hash": "316b498f5862a0fc35ad015292fef88e", "path_pattern_hash": "99d81cc4cfd81ec40e55a6efe29c670b" }, "target_context": { "dst_port": 8300, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/private.key HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686 (x86_64)) AppleWebKit\/537.36 (KHTML, ", "method": "GET", "path": "\/private.key", "user_agent": "Mozilla\/5.0 (X11; Linux i686 (x86_64)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/44.0.2403.130 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/private.key HTTP\/1.1", "request_sample": "GET \/private.key HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686 (x86_64)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/44.0.2403.130 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/private.key HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686 (x86_64)) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/private.key", "user_agent": "Mozilla\/5.0 (X11; Linux i686 (x86_64)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/44.0.2403.130 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/private.key HTTP\/1.1", "request_sample": "GET \/private.key HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686 (x86_64)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/44.0.2403.130 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/private.key HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686 (x86_64)) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5187ac1cccd4d18696d49573c27beb6e1569eb34", "protocol_details": { "http_method": "GET", "http_path": "\/private.key", "request_line": "GET \/private.key HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux i686 (x86_64)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/44.0.2403.130 Safari\/537.36", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/private.key HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686 (x86_64)) AppleWebKit\/537.36 (KHTML,", "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/private.key", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/private.key", "request_line": "GET \/private.key HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux i686 (x86_64)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/44.0.2403.130 Safari\/537.36", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/private.key", "evidence_snippet": "GET \/private.key HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686 (x86_64)) AppleWebKit\/537.36 (KHTML,", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:38:25 UTC	TCP	8300 · HTTP	http	Flood / DDoS http flood · via HTTP:8300 · (tentative d'exploit) · → /.pypirc	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.pypirc UA Mozilla/5.0 (Linux; Android 5.0.2; Lenovo A6010) AppleWebKit/53… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_sensitive_path net_flood Cible HTTP GET /.pypirc TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8300 Chemin / cible /.pypirc Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.pypirc HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 5.0.2; Lenovo A6010) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.pypirc HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Linux; Android 5.0.2; Lenovo A6010) AppleWebKit/537.36 (K Requête brute (extrait) GET /.pypirc HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Linux; Android 5.0.2; Lenovo A6010) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "pypirc", "http_ua_hash": "cda313ac8bec29aa29e200fabad5e8e8901a729f", "http_host_hash": "372950b7e517660af40b2015a2d8c9118c97a68c", "http_target_hash": "4f379f0493c77f8c140c8f093ef7d07d4d18769b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 256, "payload_entropy": 5.391845557689735, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 56, "tag_count": 4, "anomaly_count": 0, "campaign_key": "47e094767cd5c3e8a421967685dac8891edf67a0", "event_fingerprint": "17071a1a30343403ba1439f30edea1ca63d8a097", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c3981103cb797f51162cbb91a01db226", "payload_hash": "8d063d0b68dff412d230e5ded68c7736", "path_pattern_hash": "f4c8c175cb2aad95cfdfc95e8249602c" }, "target_context": { "dst_port": 8300, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/.pypirc HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.0.2; Lenovo A6010) AppleWebKit\/537.36 (K", "method": "GET", "path": "\/.pypirc", "user_agent": "Mozilla\/5.0 (Linux; Android 5.0.2; Lenovo A6010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.pypirc HTTP\/1.1", "request_sample": "GET \/.pypirc HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.0.2; Lenovo A6010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.pypirc HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.0.2; Lenovo A6010) AppleWebKit\/537.36 (K", "evidence": { "method": "GET", "path": "\/.pypirc", "user_agent": "Mozilla\/5.0 (Linux; Android 5.0.2; Lenovo A6010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.pypirc HTTP\/1.1", "request_sample": "GET \/.pypirc HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.0.2; Lenovo A6010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.pypirc HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.0.2; Lenovo A6010) AppleWebKit\/537.36 (K", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9e43a3d82a97fc2f7f2be28d060bcf46a938d4cb", "protocol_details": { "http_method": "GET", "http_path": "\/.pypirc", "request_line": "GET \/.pypirc HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 5.0.2; Lenovo A6010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Mobile Saf\u2026", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.pypirc HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.0.2; Lenovo A6010) AppleWebKit\/537.36 (K", "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.pypirc", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.pypirc", "request_line": "GET \/.pypirc HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 5.0.2; Lenovo A6010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Mobile Saf\u2026", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.pypirc", "evidence_snippet": "GET \/.pypirc HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.0.2; Lenovo A6010) AppleWebKit\/537.36 (K", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:38:25 UTC	TCP	8300 · HTTP	http	Flood / DDoS http flood · via HTTP:8300 · (tentative d'exploit) · → /assets/js/sendgrid.js	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /assets/js/sendgrid.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /assets/js/sendgrid.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8300 Chemin / cible /assets/js/sendgrid.js Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /assets/js/sendgrid.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.19 Safari/537.36 OPR/64.0.3409.0 (Edition developer) Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /assets/js/sendgrid.js HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/53 Requête brute (extrait) GET /assets/js/sendgrid.js HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.19 Safari/537.36 OPR/64.0.3409.0 (Edition developer) Accept-Charset: utf-8 Accept-En Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "js", "http_ua_hash": "c9d68c3716765910cf2e85a545e7b29ef2a35b61", "http_host_hash": "372950b7e517660af40b2015a2d8c9118c97a68c", "http_target_hash": "acda6bf02865a5f0451c6b9d0899297afde192a1", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 291, "payload_entropy": 5.437525343374998, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.8, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 6, "anomaly_count": 0, "campaign_key": "1f61181a94a1286806f627c6b67fb60fb162a38c", "event_fingerprint": "18f7df011e7d864ae37620e598260485cc4bda2f", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c79c3932da7e0eb7a4f9c80ffaecfb29", "payload_hash": "60f6fb2d60dee71a951701c3fed5e783", "path_pattern_hash": "1306be68ad7cfbf9a63999288f6e84d3" }, "target_context": { "dst_port": 8300, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/assets\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "method": "GET", "path": "\/assets\/js\/sendgrid.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36 OPR\/64.0.3409.0 (Edition developer)", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/assets\/js\/sendgrid.js HTTP\/1.1", "request_sample": "GET \/assets\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36 OPR\/64.0.3409.0 (Edition developer)\r\nAccept-Charset: utf-8\r\nAccept-En", "payload_snippet": "GET \/assets\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "evidence": { "method": "GET", "path": "\/assets\/js\/sendgrid.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36 OPR\/64.0.3409.0 (Edition developer)", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/assets\/js\/sendgrid.js HTTP\/1.1", "request_sample": "GET \/assets\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36 OPR\/64.0.3409.0 (Edition developer)\r\nAccept-Charset: utf-8\r\nAccept-En", "payload_snippet": "GET \/assets\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0d397ced657e62bac9267432ab31503ba8e68313", "protocol_details": { "http_method": "GET", "http_path": "\/assets\/js\/sendgrid.js", "request_line": "GET \/assets\/js\/sendgrid.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36 OPR\/\u2026", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/assets\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/assets\/js\/sendgrid.js", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/assets\/js\/sendgrid.js", "request_line": "GET \/assets\/js\/sendgrid.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36 OPR\/\u2026", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/assets\/js\/sendgrid.js", "evidence_snippet": "GET \/assets\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_assets", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:38:25 UTC	TCP	8300 · HTTP	http	Flood / DDoS http flood · via HTTP:8300 · (tentative d'exploit) · → /sendgrid.py	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid.py UA Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8300 Chemin / cible /sendgrid.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid.py HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.122 Safari/537.36 Vivaldi/2.3.1440.61 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid.py HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, li Requête brute (extrait) GET /sendgrid.py HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.122 Safari/537.36 Vivaldi/2.3.1440.61 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clos Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "py", "http_ua_hash": "c1c1bde123fbda9b83f4d6156cd3b28c2797d20e", "http_host_hash": "372950b7e517660af40b2015a2d8c9118c97a68c", "http_target_hash": "0e3f38ff7e509e55407449d72c93d40ab0729e93", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 261, "payload_entropy": 5.435213357440518, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "da0e92cd0ebb085b51990a0223f84b28a1dbd99e", "event_fingerprint": "3869d548df03360161e7acec07eafedd8ce83781", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "65a9a2f402a488c7f9c458cde878f2c7", "payload_hash": "8741f5b1a0a5dcbc179e27b39d63f3f5", "path_pattern_hash": "5599d311df7384f76edaf185f5d025e3" }, "target_context": { "dst_port": 8300, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, li", "method": "GET", "path": "\/sendgrid.py", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.122 Safari\/537.36 Vivaldi\/2.3.1440.61", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.py HTTP\/1.1", "request_sample": "GET \/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.122 Safari\/537.36 Vivaldi\/2.3.1440.61\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, li", "evidence": { "method": "GET", "path": "\/sendgrid.py", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.122 Safari\/537.36 Vivaldi\/2.3.1440.61", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.py HTTP\/1.1", "request_sample": "GET \/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.122 Safari\/537.36 Vivaldi\/2.3.1440.61\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, li", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ac2630f8b4903b71c9ceabe6fab7adfe84e0d3fe", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.py", "request_line": "GET \/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.122 Safari\/537.36 Vivaldi\/\u2026", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, li", "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.py", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.py", "request_line": "GET \/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.122 Safari\/537.36 Vivaldi\/\u2026", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.py", "evidence_snippet": "GET \/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, li", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:38:25 UTC	TCP	8300 · HTTP	http	Flood / DDoS http flood · via HTTP:8300 · (tentative d'exploit) · → /server.key	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /server.key UA Mozilla/5.0 (Linux; Android 9; Mi MIX 2S) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /server.key TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8300 Chemin / cible /server.key Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred Server private key Ligne de requête `GET /server.key HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; Mi MIX 2S) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /server.key HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Linux; Android 9; Mi MIX 2S) AppleWebKit/537.36 (KHTML Requête brute (extrait) GET /server.key HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Linux; Android 9; Mi MIX 2S) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "key", "http_ua_hash": "96aee98fdfb21b9749a3d850dc4cd412c37a4bea", "http_host_hash": "372950b7e517660af40b2015a2d8c9118c97a68c", "http_target_hash": "cf1afbf8420628be2ea8315c59921f18b70510e8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 252, "payload_entropy": 5.4271980515258385, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "da0e92cd0ebb085b51990a0223f84b28a1dbd99e", "event_fingerprint": "f1a712711c7abafae8ab455416e7399f8cb117db", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0499" ], "matched_pattern_names": [ "Cred Server private key" ], "pattern_ids": [ "pat-0499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e3bfa0aecfa432883afc5cf6b81d16a6", "payload_hash": "bcac3711ddbb41defb5ca0454b3049a8", "path_pattern_hash": "51ffc9c2865ea094d2e6b0576cde621f" }, "target_context": { "dst_port": 8300, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/server.key HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Mi MIX 2S) AppleWebKit\/537.36 (KHTML", "method": "GET", "path": "\/server.key", "user_agent": "Mozilla\/5.0 (Linux; Android 9; Mi MIX 2S) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/server.key HTTP\/1.1", "request_sample": "GET \/server.key HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Mi MIX 2S) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/server.key HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Mi MIX 2S) AppleWebKit\/537.36 (KHTML", "evidence": { "method": "GET", "path": "\/server.key", "user_agent": "Mozilla\/5.0 (Linux; Android 9; Mi MIX 2S) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/server.key HTTP\/1.1", "request_sample": "GET \/server.key HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Mi MIX 2S) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/server.key HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Mi MIX 2S) AppleWebKit\/537.36 (KHTML", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "da05a5eec40355073c7a7538f8800517def9af19", "protocol_details": { "http_method": "GET", "http_path": "\/server.key", "request_line": "GET \/server.key HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; Mi MIX 2S) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537\u2026", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/server.key HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Mi MIX 2S) AppleWebKit\/537.36 (KHTML", "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server.key", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/server.key", "request_line": "GET \/server.key HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; Mi MIX 2S) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537\u2026", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server.key", "evidence_snippet": "GET \/server.key HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Mi MIX 2S) AppleWebKit\/537.36 (KHTML", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:38:25 UTC	TCP	8300 · HTTP	http	Flood / DDoS http flood · via HTTP:8300 · (tentative d'exploit) · → /sendgrid-config.js	Élevée	Moyen · 57
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid-config.js UA Lynx/2.8.7dev.4 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.8d Émulateur HTTP WAF 14 Recommandation Investiguer Tags 950318:lfi-14 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid-config.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8300 Chemin / cible /sendgrid-config.js Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 57 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid-config.js HTTP/1.1` User-Agent Lynx/2.8.7dev.4 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.8d Règles WAF lfi-14 nosqli-3 Payload (extrait) GET /sendgrid-config.js HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Lynx/2.8.7dev.4 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.8d Requête brute (extrait) GET /sendgrid-config.js HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Lynx/2.8.7dev.4 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.8d Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "js", "http_ua_hash": "44ab5c787fe1db36dde38b87875d867895660936", "http_host_hash": "372950b7e517660af40b2015a2d8c9118c97a68c", "http_target_hash": "c8b4913a314d5374735dff4b95e1cff311f5c4dc", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 196, "payload_entropy": 5.3147792652258135, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 64, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 64, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 57, "tag_count": 3, "anomaly_count": 0, "campaign_key": "5e4f11079a4967997519043478ce0650ce7319f3", "event_fingerprint": "a367542b58b86471ccba575cbde2a22ab8681454", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 64, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 57, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "40ccd589de5afc5c6cd9008ac1d6b38d", "payload_hash": "168e61ba0ea0cc63d0ff6f8772da3a05", "path_pattern_hash": "2b99e2b2f22e64aa3052d2699e1fc307" }, "target_context": { "dst_port": 8300, "service": "http", "service_name": "http", "risk_score": 57 }, "payload_preview": "GET \/sendgrid-config.js HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Lynx\/2.8.7dev.4 libwww-FM\/2.14 SSL-MM\/1.4.1 OpenSSL\/0.9.8d\r", "method": "GET", "path": "\/sendgrid-config.js", "user_agent": "Lynx\/2.8.7dev.4 libwww-FM\/2.14 SSL-MM\/1.4.1 OpenSSL\/0.9.8d", "waf_tags": [ "950318:lfi-14", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "nosqli-3" ], "request_line": "GET \/sendgrid-config.js HTTP\/1.1", "request_sample": "GET \/sendgrid-config.js HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Lynx\/2.8.7dev.4 libwww-FM\/2.14 SSL-MM\/1.4.1 OpenSSL\/0.9.8d\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid-config.js HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Lynx\/2.8.7dev.4 libwww-FM\/2.14 SSL-MM\/1.4.1 OpenSSL\/0.9.8d", "evidence": { "method": "GET", "path": "\/sendgrid-config.js", "user_agent": "Lynx\/2.8.7dev.4 libwww-FM\/2.14 SSL-MM\/1.4.1 OpenSSL\/0.9.8d", "waf_tags": [ "950318:lfi-14", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "nosqli-3" ], "request_line": "GET \/sendgrid-config.js HTTP\/1.1", "request_sample": "GET \/sendgrid-config.js HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Lynx\/2.8.7dev.4 libwww-FM\/2.14 SSL-MM\/1.4.1 OpenSSL\/0.9.8d\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid-config.js HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Lynx\/2.8.7dev.4 libwww-FM\/2.14 SSL-MM\/1.4.1 OpenSSL\/0.9.8d", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ab5d674d8178536fa7b9371ad39e72d863eac86a", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid-config.js", "request_line": "GET \/sendgrid-config.js HTTP\/1.1", "http_user_agent": "Lynx\/2.8.7dev.4 libwww-FM\/2.14 SSL-MM\/1.4.1 OpenSSL\/0.9.8d", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid-config.js HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Lynx\/2.8.7dev.4 libwww-FM\/2.14 SSL-MM\/1.4.1 OpenSSL\/0.9.8d", "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid-config.js", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 64, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 57, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 57, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid-config.js", "request_line": "GET \/sendgrid-config.js HTTP\/1.1", "http_user_agent": "Lynx\/2.8.7dev.4 libwww-FM\/2.14 SSL-MM\/1.4.1 OpenSSL\/0.9.8d", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid-config.js", "evidence_snippet": "GET \/sendgrid-config.js HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Lynx\/2.8.7dev.4 libwww-FM\/2.14 SSL-MM\/1.4.1 OpenSSL\/0.9.8d", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 64 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:38:25 UTC	TCP	8300 · HTTP	http	Flood / DDoS http flood · via HTTP:8300 · (tentative d'exploit) · → /sendgrid.config.js	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid.config.js UA Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Triden… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid.config.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8300 Chemin / cible /sendgrid.config.js Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid.config.js HTTP/1.1` User-Agent Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0) Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid.config.js HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Tr Requête brute (extrait) GET /sendgrid.config.js HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "js", "http_ua_hash": "709cd7ecb895ccc0d811c9b3e76ade66b0e1f3aa", "http_host_hash": "372950b7e517660af40b2015a2d8c9118c97a68c", "http_target_hash": "97c6c01ed1cd44a1cf5c9909b699de08c7716b13", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 221, "payload_entropy": 5.279858841632617, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "da0e92cd0ebb085b51990a0223f84b28a1dbd99e", "event_fingerprint": "0d2d6269de79e566eefb0cddf515c779805c40ac", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "62344fc5d84c3c1fadd8e78258089bea", "payload_hash": "50372c09d791b5627dcc4ce097161941", "path_pattern_hash": "032717fdb137d07613be2acfbba19b69" }, "target_context": { "dst_port": 8300, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/sendgrid.config.js HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Tr", "method": "GET", "path": "\/sendgrid.config.js", "user_agent": "Mozilla\/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident\/5.0; IEMobile\/9.0)", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.config.js HTTP\/1.1", "request_sample": "GET \/sendgrid.config.js HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident\/5.0; IEMobile\/9.0)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.config.js HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Tr", "evidence": { "method": "GET", "path": "\/sendgrid.config.js", "user_agent": "Mozilla\/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident\/5.0; IEMobile\/9.0)", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.config.js HTTP\/1.1", "request_sample": "GET \/sendgrid.config.js HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident\/5.0; IEMobile\/9.0)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.config.js HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Tr", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ea992be9cf416576ea402ba7b887492dbbd0340b", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.config.js", "request_line": "GET \/sendgrid.config.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident\/5.0; IEMobile\/9.0)", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid.config.js HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Tr", "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.config.js", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.config.js", "request_line": "GET \/sendgrid.config.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident\/5.0; IEMobile\/9.0)", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.config.js", "evidence_snippet": "GET \/sendgrid.config.js HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Tr", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:38:25 UTC	TCP	8300 · HTTP	http	Sonde fichier credential / clé credential file probe · via HTTP:8300 · (tentative d'exploit) · → /.ssh/id_rsa	Élevée	Élevé · 66
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.ssh/id_rsa UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_id_rsa Cible HTTP GET /.ssh/id_rsa TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8300 Chemin / cible /.ssh/id_rsa Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier credential/clé · Règle WAF « rce-0 » · Sonde clé SSH / id_rsa · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 66 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-credential-file Http Id Rsa pat-0490 pat-0495 Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred SSH key in .ssh Cred SSH private key id_rsa Ligne de requête `GET /.ssh/id_rsa HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.ssh/id_rsa HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Ge Requête brute (extrait) GET /.ssh/id_rsa HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "ssh\/id_rsa", "http_ua_hash": "5f54e573b05bff14b77d1814d3bb5eb9b4150213", "http_host_hash": "372950b7e517660af40b2015a2d8c9118c97a68c", "http_target_hash": "d951dfd854ab99392c126a2628ec52b85415a678", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 235, "payload_entropy": 5.445004353396684, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 84, "risk_classification": 82, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.8, "risk_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 66, "tag_count": 6, "anomaly_count": 0, "campaign_key": "e77ddb970c1f77f008595484f8f409e218f3b4a3", "event_fingerprint": "4c3c14386a06dc3266205e0101eb35d016e69294", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde cl\u00e9 SSH \/ id_rsa \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 393, "precision_signals": [ "SIGMA-web-credential-file", "INT-http_id_rsa", "pat-0490", "pat-0495", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-credential-file", "INT-http_id_rsa", "pat-0490", "pat-0495", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0490", "pat-0495" ], "matched_pattern_names": [ "Cred SSH key in .ssh", "Cred SSH private key id_rsa" ], "pattern_ids": [ "pat-0490", "pat-0495" ], "confidence_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "lfi_attack", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "29bf1f4d0981ae0108cf486395724145", "payload_hash": "ef62b2b3d2a67c82aa1c4919f1d97102", "path_pattern_hash": "6eca2c923ad05fff3eba197c659999e2" }, "target_context": { "dst_port": 8300, "service": "http", "service_name": "http", "risk_score": 66 }, "payload_preview": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Ge", "method": "GET", "path": "\/.ssh\/id_rsa", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.ssh\/id_rsa HTTP\/1.1", "request_sample": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Ge", "evidence": { "method": "GET", "path": "\/.ssh\/id_rsa", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.ssh\/id_rsa HTTP\/1.1", "request_sample": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Ge", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde cl\u00e9 SSH \/ id_rsa \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0269808401aa002bf6d2dabab9805ca5a84b853c", "protocol_details": { "http_method": "GET", "http_path": "\/.ssh\/id_rsa", "request_line": "GET \/.ssh\/id_rsa HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Ge", "attack_vector": "credential file probe \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.ssh\/id_rsa", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde cl\u00e9 SSH \/ id_rsa \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde cl\u00e9 SSH \/ id_rsa \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 66, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-credential-file", "INT-http_id_rsa", "pat-0490", "pat-0495" ], "tags_summary_labels_fr": [ "SIGMA-web-credential-file", "Http Id Rsa", "pat-0490", "pat-0495" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.ssh\/id_rsa", "request_line": "GET \/.ssh\/id_rsa HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "credential file probe \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.ssh\/id_rsa", "evidence_snippet": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Ge", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_id_rsa", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:38:25 UTC	TCP	8300 · HTTP	http	Flood / DDoS http flood · via HTTP:8300 · (tentative d'exploit) · → /public/js/sendgrid.js	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /public/js/sendgrid.js UA Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /public/js/sendgrid.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8300 Chemin / cible /public/js/sendgrid.js Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /public/js/sendgrid.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3880.4 Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /public/js/sendgrid.js HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 Requête brute (extrait) GET /public/js/sendgrid.js HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3880.4 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "js", "http_ua_hash": "73a819af36e260f12b54c59e717c833cd5aa3fa1", "http_host_hash": "372950b7e517660af40b2015a2d8c9118c97a68c", "http_target_hash": "3d8d45d4780341cf69b3566ae14a0edf2136ab23", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 249, "payload_entropy": 5.425463153002572, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.4, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 70, "tag_count": 5, "anomaly_count": 0, "campaign_key": "9a8fa29f511a6935e63d3d0b97447baa2af02311", "event_fingerprint": "b87017afeb2bef3cb09d93310354b720e8ae7a5f", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d3fa4d6f7636772e7066d1081a761a29", "payload_hash": "6893ae7341700fc11d7fd8db2c3ca756", "path_pattern_hash": "f58945cff6efd1a814c6e2366d5811fb" }, "target_context": { "dst_port": 8300, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/public\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 ", "method": "GET", "path": "\/public\/js\/sendgrid.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.4 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/public\/js\/sendgrid.js HTTP\/1.1", "request_sample": "GET \/public\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.4 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/public\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/public\/js\/sendgrid.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.4 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/public\/js\/sendgrid.js HTTP\/1.1", "request_sample": "GET \/public\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.4 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/public\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "898e9d753d37e65f355bbc17e22b0ffed9765403", "protocol_details": { "http_method": "GET", "http_path": "\/public\/js\/sendgrid.js", "request_line": "GET \/public\/js\/sendgrid.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.4 Safari\/537.36", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/public\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36", "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/public\/js\/sendgrid.js", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/public\/js\/sendgrid.js", "request_line": "GET \/public\/js\/sendgrid.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.4 Safari\/537.36", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/public\/js\/sendgrid.js", "evidence_snippet": "GET \/public\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:38:25 UTC	TCP	8300 · HTTP	http	Flood / DDoS http flood · via HTTP:8300 · (tentative d'exploit) · → /js/sendgrid.js	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /js/sendgrid.js UA Mozilla/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleW… Émulateur HTTP WAF 34 Recommandation Investiguer Tags 950086:sqli-21 950316:lfi-14 950326:rce-0 950468:nosqli-3 Cible HTTP GET /js/sendgrid.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8300 Chemin / cible /js/sendgrid.js Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — 5 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /js/sendgrid.js HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 MicroMessenger/7.0.4(0x17000428) NetType/WIFI Language/zh_CN Règles WAF sqli-21 lfi-14 rce-0 nosqli-3 Payload (extrait) GET /js/sendgrid.js HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleW Requête brute (extrait) GET /js/sendgrid.js HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 MicroMessenger/7.0.4(0x17000428) NetType/WIFI Language/zh_CN Accept-Charset: u Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "js", "http_ua_hash": "568852bf8c0500279360f3a7b83ee5202ffeed78", "http_host_hash": "372950b7e517660af40b2015a2d8c9118c97a68c", "http_target_hash": "7114249614c60cac92b11c965ba88c076eabbbd2", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 306, "payload_entropy": 5.486861292467294, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.8, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 70, "tag_count": 6, "anomaly_count": 0, "campaign_key": "ce928a1878ef072656601627d052059a8c80045a", "event_fingerprint": "f51cf40d871a945ef720bc2ae6b48f37ff9a1772", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0ab25fecd98477f618d10993a5d3118d", "payload_hash": "6a8f31acefe06b282c17a58952770c96", "path_pattern_hash": "e872e36d7b0986feefb905fe01ffcd7c" }, "target_context": { "dst_port": 8300, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleW", "method": "GET", "path": "\/js\/sendgrid.js", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148 MicroMessenger\/7.0.4(0x17000428) NetType\/WIFI Language\/zh_CN", "waf_tags": [ "950086:sqli-21", "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "sqli-21", "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/js\/sendgrid.js HTTP\/1.1", "request_sample": "GET \/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148 MicroMessenger\/7.0.4(0x17000428) NetType\/WIFI Language\/zh_CN\r\nAccept-Charset: u", "payload_snippet": "GET \/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleW", "evidence": { "method": "GET", "path": "\/js\/sendgrid.js", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148 MicroMessenger\/7.0.4(0x17000428) NetType\/WIFI Language\/zh_CN", "waf_tags": [ "950086:sqli-21", "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "sqli-21", "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/js\/sendgrid.js HTTP\/1.1", "request_sample": "GET \/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148 MicroMessenger\/7.0.4(0x17000428) NetType\/WIFI Language\/zh_CN\r\nAccept-Charset: u", "payload_snippet": "GET \/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleW", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c5cda9dbcee54d7c6a3ef67b391e857b9e30976d", "protocol_details": { "http_method": "GET", "http_path": "\/js\/sendgrid.js", "request_line": "GET \/js\/sendgrid.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148 MicroMe\u2026", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleW", "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/js\/sendgrid.js", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/js\/sendgrid.js", "request_line": "GET \/js\/sendgrid.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148 MicroMe\u2026", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/js\/sendgrid.js", "evidence_snippet": "GET \/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleW", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 5 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950086:sqli-21", "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:38:24 UTC	TCP	8300 · CONSUL SERVER	consul-server	Sonde PostgreSQL postgres probe · via CONSUL SERVER:8300 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur CONSUL-SERVER WAF — Recommandation Surveiller Tags net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8300 Chemin / cible — Service CONSUL SERVER Payload ��e@)��=�a�,vJS.��1�{�V� e\�� /̸� � �t�p;��1�p��_&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��e@)��=�a�,vJS.��1�{�V� e\�� /̸� � �t�p;��1�p��_&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��e@)��=�a�,vJS.��1�{�V� e\�� /̸� � �t�p;��1�p��_&�+�/�,�0̨̩� �� /5� w �+3&$ ��{�.��{K��A,��X��ؠƍ�y]ܱR Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.830294142928363, "port_category": "registered", "org": "Google LLC", "service": "consul-server", "app_proto": "consul-server", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "6fb1dcfb536ed06ac48a5f920174a63054f2ac14", "event_fingerprint": "e68037b92ba58b835ba3615b495a30586db90f6f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "consul-server", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "fa34cda283e1e03b207a7396702a9f9e", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8300, "service": "consul-server", "service_name": "consul-server", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffde@)\ufffd\u0001\u0001\ufffd=\ufffda\ufffd\u0005,\u000evJS.\u0016\ufffd\ufffd1\u0010\ufffd{\ufffdV\ufffd e\\\ufffd\ufffd\n\ufffd\u001c\ufffd\/\u0338\ufffd\r\ufffd\n\ufffdt\ufffdp;\ufffd\ufffd\ufffd1\ufffdp\u0005\ufffd\ufffd\u0010_\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffde@)\ufffd\u0001\u0001\ufffd=\ufffda\ufffd\u0005,\u000evJS.\u0016\ufffd\ufffd1\u0010\ufffd{\ufffdV\ufffd e\\\ufffd\ufffd\n\ufffd\u001c\ufffd\/\u0338\ufffd\r\ufffd\n\ufffdt\ufffdp;\ufffd\ufffd\ufffd1\ufffdp\u0005\ufffd\ufffd\u0010_\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd{\ufffd.\ufffd\ufffd{K\ufffd\ufffd\ufffdA,\ufffd\ufffdX\ufffd\ufffd\u0620\u018d\ufffd\u001fy]\u0731R\u0017", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffde@)\ufffd\u0001\u0001\ufffd=\ufffda\ufffd\u0005,\u000evJS.\u0016\ufffd\ufffd1\u0010\ufffd{\ufffdV\ufffd e\\\ufffd\ufffd\n\ufffd\u001c\ufffd\/\u0338\ufffd\r\ufffd\n\ufffdt\ufffdp;\ufffd\ufffd\ufffd1\ufffdp\u0005\ufffd\ufffd\u0010_\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61207dc66eb20792dde84003b3a6c8b4f6987e86", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffde@)\ufffd\u0001\u0001\ufffd=\ufffda\ufffd\u0005,\u000evJS.\u0016\ufffd\ufffd1\u0010\ufffd{\ufffdV\ufffd e\\\ufffd\ufffd\n\ufffd\u001c\ufffd\/\u0338\ufffd\r\ufffd\n\ufffdt\ufffdp;\ufffd\ufffd\ufffd1\ufffdp\u0005\ufffd\ufffd\u0010_\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8300, "service": "consul-server", "service_label_fr": "CONSUL SERVER" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffde@)\ufffd\ufffd=\ufffda\ufffd,vJS.\ufffd\ufffd1\ufffd{\ufffdV\ufffd e\\\ufffd\ufffd\n\ufffd\ufffd\/\u0338\ufffd\r\ufffd\n\ufffdt\ufffdp;\ufffd\ufffd\ufffd1\ufffdp\ufffd\ufffd_&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via CONSUL SERVER:8300 \u00b7 (sonde \/ probe)", "target_port_label": "8300 \u00b7 CONSUL SERVER", "emulator_service": "consul-server", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "consul-server", "service_label_fr": "CONSUL SERVER", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-consul-server", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffde@)\ufffd\u0001\u0001\ufffd=\ufffda\ufffd\u0005,\u000evJS.\u0016\ufffd\ufffd1\u0010\ufffd{\ufffdV\ufffd e\\\ufffd\ufffd\n\ufffd\u001c\ufffd\/\u0338\ufffd\r\ufffd\n\ufffdt\ufffdp;\ufffd\ufffd\ufffd1\ufffdp\u0005\ufffd\ufffd\u0010_\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8300, "service": "consul-server", "service_label_fr": "CONSUL SERVER" }, "attack_vector": "postgres probe \u00b7 via CONSUL SERVER:8300 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffde@)\ufffd\ufffd=\ufffda\ufffd,vJS.\ufffd\ufffd1\ufffd{\ufffdV\ufffd e\\\ufffd\ufffd\n\ufffd\ufffd\/\u0338\ufffd\r\ufffd\n\ufffdt\ufffdp;\ufffd\ufffd\ufffd1\ufffdp\ufffd\ufffd_&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8300 \u00b7 CONSUL SERVER", "emulator_service": "consul-server", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "consul_server", "service_banner": "honeypot-consul-server", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
15/06/2026 12:38:24 UTC	TCP	8300 · CONSUL SERVER	consul-server	Sonde PostgreSQL postgres probe · via CONSUL SERVER:8300 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur CONSUL-SERVER WAF — Recommandation Surveiller Tags net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8300 Chemin / cible — Service CONSUL SERVER Payload ��S3�0�-&;�MIK[tn:� ��;��d$� 0��d��9�O�Kl��bITI�y)��F��&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��S3�0�-&;�MIK[tn:��;��d$� 0��d��9�O�Kl��bITI�y)��F��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��S3�0�-&;�MIK[tn:� ��;��d$� 0��d��9�O�Kl��bITI�y)��F��&�+�/�,�0̨̩� �� /5� w �+3&$ �B�>��B&_Gk� P�\�o�~m��(r2c Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.902624504760171, "port_category": "registered", "org": "Google LLC", "service": "consul-server", "app_proto": "consul-server", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "6fb1dcfb536ed06ac48a5f920174a63054f2ac14", "event_fingerprint": "e68037b92ba58b835ba3615b495a30586db90f6f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "consul-server", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d306960063156be3928c4b848e12943f", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8300, "service": "consul-server", "service_name": "consul-server", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdS3\ufffd0\ufffd-&;\ufffdMIK[tn:\ufffd\f\u0015\ufffd\ufffd\ufffd\u0014;\ufffd\ufffd\u000ed$\ufffd 0\ufffd\ufffd\ufffdd\ufffd\ufffd9\ufffdO\ufffdKl\ufffd\u000f\ufffdbIT\u001fI\ufffdy)\ufffd\ufffdF\ufffd\ufffd\ufffd\u0017\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdS3\ufffd0\ufffd-&;\ufffdMIK[tn:\ufffd\f\u0015\ufffd\ufffd\ufffd\u0014;\ufffd\ufffd\u000ed$\ufffd 0\ufffd\ufffd\ufffdd\ufffd\ufffd9\ufffdO\ufffdKl\ufffd\u000f\ufffdbIT\u001fI\ufffdy)\ufffd\ufffdF\ufffd\ufffd\ufffd\u0017\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u001eB\ufffd>\ufffd\ufffdB&_Gk\ufffd\nP\ufffd\\\ufffdo\u0015\ufffd\u0005~m\ufffd\ufffd\u0012\ufffd(r2c", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdS3\ufffd0\ufffd-&;\ufffdMIK[tn:\ufffd\f\u0015\ufffd\ufffd\ufffd\u0014;\ufffd\ufffd\u000ed$\ufffd 0\ufffd\ufffd\ufffdd\ufffd\ufffd9\ufffdO\ufffdKl\ufffd\u000f\ufffdbIT\u001fI\ufffdy)\ufffd\ufffdF\ufffd\ufffd\ufffd\u0017\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "665cc5a3f3e9633b7eb1be7973d2347715ff6d5c", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdS3\ufffd0\ufffd-&;\ufffdMIK[tn:\ufffd\f\u0015\ufffd\ufffd\ufffd\u0014;\ufffd\ufffd\u000ed$\ufffd 0\ufffd\ufffd\ufffdd\ufffd\ufffd9\ufffdO\ufffdKl\ufffd\u000f\ufffdbIT\u001fI\ufffdy)\ufffd\ufffdF\ufffd\ufffd\ufffd\u0017\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8300, "service": "consul-server", "service_label_fr": "CONSUL SERVER" }, "evidence_snippet": "\ufffd\ufffd\ufffdS3\ufffd0\ufffd-&;\ufffdMIK[tn:\ufffd\ufffd\ufffd\ufffd;\ufffd\ufffdd$\ufffd 0\ufffd\ufffd\ufffdd\ufffd\ufffd9\ufffdO\ufffdKl\ufffd\ufffdbITI\ufffdy)\ufffd\ufffdF\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via CONSUL SERVER:8300 \u00b7 (sonde \/ probe)", "target_port_label": "8300 \u00b7 CONSUL SERVER", "emulator_service": "consul-server", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "consul-server", "service_label_fr": "CONSUL SERVER", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-consul-server", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdS3\ufffd0\ufffd-&;\ufffdMIK[tn:\ufffd\f\u0015\ufffd\ufffd\ufffd\u0014;\ufffd\ufffd\u000ed$\ufffd 0\ufffd\ufffd\ufffdd\ufffd\ufffd9\ufffdO\ufffdKl\ufffd\u000f\ufffdbIT\u001fI\ufffdy)\ufffd\ufffdF\ufffd\ufffd\ufffd\u0017\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8300, "service": "consul-server", "service_label_fr": "CONSUL SERVER" }, "attack_vector": "postgres probe \u00b7 via CONSUL SERVER:8300 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffdS3\ufffd0\ufffd-&;\ufffdMIK[tn:\ufffd\ufffd\ufffd\ufffd;\ufffd\ufffdd$\ufffd 0\ufffd\ufffd\ufffdd\ufffd\ufffd9\ufffdO\ufffdKl\ufffd\ufffdbITI\ufffdy)\ufffd\ufffdF\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8300 \u00b7 CONSUL SERVER", "emulator_service": "consul-server", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "consul_server", "service_banner": "honeypot-consul-server", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
15/06/2026 12:38:24 UTC	TCP	8300 · CONSUL SERVER	consul-server	Sonde PostgreSQL postgres probe · via CONSUL SERVER:8300 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur CONSUL-SERVER WAF — Recommandation Surveiller Tags net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8300 Chemin / cible — Service CONSUL SERVER Payload ��>T��<dW��ZDt ��-IF�pn�a�r�� :�8��ȟ��z]�tKFw<S^ p$�{{�,�=#&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��>T��<dW��ZDt ��-IF�pn�a�r�� :�8��ȟ��z]�tKFw<S^p$�{{�,�=#&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��>T��<dW��ZDt ��-IF�pn�a�r�� :�8��ȟ��z]�tKFw<S^ p$�{{�,�=#&�+�/�,�0̨̩� �� /5� w �+3&$ � U��2�{}�� H��&�p��_R Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.895267077647979, "port_category": "registered", "org": "Google LLC", "service": "consul-server", "app_proto": "consul-server", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "6fb1dcfb536ed06ac48a5f920174a63054f2ac14", "event_fingerprint": "e68037b92ba58b835ba3615b495a30586db90f6f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "consul-server", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "34cf9ff11b56850ee29b6d7c6070d3fe", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8300, "service": "consul-server", "service_name": "consul-server", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003>T\ufffd\ufffd<dW\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdZDt \ufffd\ufffd-IF\u0019\ufffdpn\ufffda\ufffdr\ufffd\ufffd :\ufffd8\ufffd\ufffd\u021f\ufffd\ufffdz]\ufffdtKFw<S^\fp$\ufffd{{\u001c\ufffd,\ufffd=#\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003>T\ufffd\ufffd<dW\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdZDt \ufffd\ufffd-IF\u0019\ufffdpn\ufffda\ufffdr\ufffd\ufffd :\ufffd8\ufffd\ufffd\u021f\ufffd\ufffdz]\ufffdtKFw<S^\fp$\ufffd{{\u001c\ufffd,\ufffd=#\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd U\ufffd\ufffd2\ufffd{}\u001c\ufffd\ufffd\ufffd\ufffd\ufffd\nH\ufffd\ufffd\ufffd&\ufffd\bp\ufffd\ufffd_R\u0015", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003>T\ufffd\ufffd<dW\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdZDt \ufffd\ufffd-IF\u0019\ufffdpn\ufffda\ufffdr\ufffd\ufffd :\ufffd8\ufffd\ufffd\u021f\ufffd\ufffdz]\ufffdtKFw<S^\fp$\ufffd{{\u001c\ufffd,\ufffd=#\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4a8529bb9df891234ebe7032fd1d989dcf949143", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003>T\ufffd\ufffd<dW\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdZDt \ufffd\ufffd-IF\u0019\ufffdpn\ufffda\ufffdr\ufffd\ufffd :\ufffd8\ufffd\ufffd\u021f\ufffd\ufffdz]\ufffdtKFw<S^\fp$\ufffd{{\u001c\ufffd,\ufffd=#\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8300, "service": "consul-server", "service_label_fr": "CONSUL SERVER" }, "evidence_snippet": "\ufffd\ufffd>T\ufffd\ufffd<dW\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdZDt \ufffd\ufffd-IF\ufffdpn\ufffda\ufffdr\ufffd\ufffd :\ufffd8\ufffd\ufffd\u021f\ufffd\ufffdz]\ufffdtKFw<S^p$\ufffd{{\ufffd,\ufffd=#&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via CONSUL SERVER:8300 \u00b7 (sonde \/ probe)", "target_port_label": "8300 \u00b7 CONSUL SERVER", "emulator_service": "consul-server", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "consul-server", "service_label_fr": "CONSUL SERVER", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-consul-server", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003>T\ufffd\ufffd<dW\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdZDt \ufffd\ufffd-IF\u0019\ufffdpn\ufffda\ufffdr\ufffd\ufffd :\ufffd8\ufffd\ufffd\u021f\ufffd\ufffdz]\ufffdtKFw<S^\fp$\ufffd{{\u001c\ufffd,\ufffd=#\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8300, "service": "consul-server", "service_label_fr": "CONSUL SERVER" }, "attack_vector": "postgres probe \u00b7 via CONSUL SERVER:8300 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd>T\ufffd\ufffd<dW\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdZDt \ufffd\ufffd-IF\ufffdpn\ufffda\ufffdr\ufffd\ufffd :\ufffd8\ufffd\ufffd\u021f\ufffd\ufffdz]\ufffdtKFw<S^p$\ufffd{{\ufffd,\ufffd=#&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8300 \u00b7 CONSUL SERVER", "emulator_service": "consul-server", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "consul_server", "service_banner": "honeypot-consul-server", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
15/06/2026 12:38:24 UTC	TCP	8300 · CONSUL SERVER	consul-server	Sonde PostgreSQL postgres probe · via CONSUL SERVER:8300 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur CONSUL-SERVER WAF — Recommandation Surveiller Tags net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8300 Chemin / cible — Service CONSUL SERVER Payload �� )��ZZ��ᢱ��5�t# ��f�+�@��\|"w��>�Ec!�@ʎ��,��&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��)��ZZ��ᢱ��5�t# ��f�+�@��\|"w��>�Ec!�@ʎ��,��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) �� )��ZZ��ᢱ��5�t# ��f�+�@��\|"w��>�Ec!�@ʎ��,��&�+�/�,�0̨̩� �� /5� w �+3&$ ��auC;+��n}�%�� Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.879462971064399, "port_category": "registered", "org": "Google LLC", "service": "consul-server", "app_proto": "consul-server", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "6fb1dcfb536ed06ac48a5f920174a63054f2ac14", "event_fingerprint": "e68037b92ba58b835ba3615b495a30586db90f6f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "consul-server", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "038bafebfc7ba9486dd7c4397db4349c", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8300, "service": "consul-server", "service_name": "consul-server", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001d\ufffd\ufffd\b\ufffd\ufffd\ufffd\u000b)\ufffd\ufffd\u001f\u0007\ufffdZ\u0010Z\ufffd\ufffd\ufffd\u000e\u18b1\ufffd\ufffd\ufffd5\ufffdt# \ufffd\ufffd\ufffd\ufffdf\ufffd+\ufffd@\ufffd\ufffd\|\"w\ufffd\ufffd>\ufffdEc!\ufffd@\u028e\u0019\ufffd\ufffd,\ufffd\u0015\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001d\ufffd\ufffd\b\ufffd\ufffd\ufffd\u000b)\ufffd\ufffd\u001f\u0007\ufffdZ\u0010Z\ufffd\ufffd\ufffd\u000e\u18b1\ufffd\ufffd\ufffd5\ufffdt# \ufffd\ufffd\ufffd\ufffdf\ufffd+\ufffd@\ufffd\ufffd\|\"w\ufffd\ufffd>\ufffdEc!\ufffd@\u028e\u0019\ufffd\ufffd,\ufffd\u0015\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0011\ufffd\ufffd\ufffdauC\u0005;+\ufffd\ufffd\u0016\u0014\ufffd\u0007\u0007n\u001e}\ufffd%\u0018\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u001b", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001d\ufffd\ufffd\b\ufffd\ufffd\ufffd\u000b)\ufffd\ufffd\u001f\u0007\ufffdZ\u0010Z\ufffd\ufffd\ufffd\u000e\u18b1\ufffd\ufffd\ufffd5\ufffdt# \ufffd\ufffd\ufffd\ufffdf\ufffd+\ufffd@\ufffd\ufffd\|\"w\ufffd\ufffd>\ufffdEc!\ufffd@\u028e\u0019\ufffd\ufffd,\ufffd\u0015\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "546d3846d5051e3ded26fd0ed8f4945dee64e3d0", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001d\ufffd\ufffd\b\ufffd\ufffd\ufffd\u000b)\ufffd\ufffd\u001f\u0007\ufffdZ\u0010Z\ufffd\ufffd\ufffd\u000e\u18b1\ufffd\ufffd\ufffd5\ufffdt# \ufffd\ufffd\ufffd\ufffdf\ufffd+\ufffd@\ufffd\ufffd\|\"w\ufffd\ufffd>\ufffdEc!\ufffd@\u028e\u0019\ufffd\ufffd,\ufffd\u0015\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8300, "service": "consul-server", "service_label_fr": "CONSUL SERVER" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd)\ufffd\ufffd\ufffdZZ\ufffd\ufffd\ufffd\u18b1\ufffd\ufffd\ufffd5\ufffdt# \ufffd\ufffd\ufffd\ufffdf\ufffd+\ufffd@\ufffd\ufffd\|\"w\ufffd\ufffd>\ufffdEc!\ufffd@\u028e\ufffd\ufffd,\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via CONSUL SERVER:8300 \u00b7 (sonde \/ probe)", "target_port_label": "8300 \u00b7 CONSUL SERVER", "emulator_service": "consul-server", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "consul-server", "service_label_fr": "CONSUL SERVER", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-consul-server", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001d\ufffd\ufffd\b\ufffd\ufffd\ufffd\u000b)\ufffd\ufffd\u001f\u0007\ufffdZ\u0010Z\ufffd\ufffd\ufffd\u000e\u18b1\ufffd\ufffd\ufffd5\ufffdt# \ufffd\ufffd\ufffd\ufffdf\ufffd+\ufffd@\ufffd\ufffd\|\"w\ufffd\ufffd>\ufffdEc!\ufffd@\u028e\u0019\ufffd\ufffd,\ufffd\u0015\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8300, "service": "consul-server", "service_label_fr": "CONSUL SERVER" }, "attack_vector": "postgres probe \u00b7 via CONSUL SERVER:8300 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd)\ufffd\ufffd\ufffdZZ\ufffd\ufffd\ufffd\u18b1\ufffd\ufffd\ufffd5\ufffdt# \ufffd\ufffd\ufffd\ufffdf\ufffd+\ufffd@\ufffd\ufffd\|\"w\ufffd\ufffd>\ufffdEc!\ufffd@\u028e\ufffd\ufffd,\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8300 \u00b7 CONSUL SERVER", "emulator_service": "consul-server", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "consul_server", "service_banner": "honeypot-consul-server", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
15/06/2026 12:38:24 UTC	TCP	8300 · CONSUL SERVER	consul-server	Sonde PostgreSQL postgres probe · via CONSUL SERVER:8300 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur CONSUL-SERVER WAF — Recommandation Surveiller Tags net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8300 Chemin / cible — Service CONSUL SERVER Payload �� /òc��!o0ӱc�9�� >!aP��[(�m ��8��j�k�:�U��&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) �� /òc��!o0ӱc�9�� >!aP��[(�m ��8��j�k�:�U��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) �� /òc��!o0ӱc�9�� >!aP��[(�m ��8��j�k�:�U��&�+�/�,�0̨̩� �� /5� w �+3&$ ��%��w�B��^�٣G�S@�ztMM�p Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.881204356313466, "port_category": "registered", "org": "Google LLC", "service": "consul-server", "app_proto": "consul-server", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "6fb1dcfb536ed06ac48a5f920174a63054f2ac14", "event_fingerprint": "e68037b92ba58b835ba3615b495a30586db90f6f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "consul-server", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "557b1bd8a0298de5c2ebb464ce73cc02", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8300, "service": "consul-server", "service_name": "consul-server", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\r\ufffd\ufffd\ufffd\/\u00f2c\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd!o0\u04f1c\ufffd9\ufffd\u001d\ufffd\ufffd \t>!aP\ufffd\ufffd[(\u0014\ufffdm\n\ufffd\ufffd8\ufffd\ufffd\ufffdj\ufffdk\ufffd:\ufffdU\ufffd\u0005\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\r\ufffd\ufffd\ufffd\/\u00f2c\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd!o0\u04f1c\ufffd9\ufffd\u001d\ufffd\ufffd \t>!aP\ufffd\ufffd[(\u0014\ufffdm\n\ufffd\ufffd8\ufffd\ufffd\ufffdj\ufffdk\ufffd:\ufffdU\ufffd\u0005\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0012\ufffd\ufffd%\ufffd\ufffdw\ufffd\u0013B\ufffd\ufffd\ufffd\ufffd\ufffd^\ufffd\u0663G\ufffdS@\ufffd\u0011ztMM\ufffdp", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\r\ufffd\ufffd\ufffd\/\u00f2c\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd!o0\u04f1c\ufffd9\ufffd\u001d\ufffd\ufffd \t>!aP\ufffd\ufffd[(\u0014\ufffdm\n\ufffd\ufffd8\ufffd\ufffd\ufffdj\ufffdk\ufffd:\ufffdU\ufffd\u0005\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "33d649d778b8e08652a6dc85d33cb78e1d276ec4", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\r\ufffd\ufffd\ufffd\/\u00f2c\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd!o0\u04f1c\ufffd9\ufffd\u001d\ufffd\ufffd \t>!aP\ufffd\ufffd[(\u0014\ufffdm\n\ufffd\ufffd8\ufffd\ufffd\ufffdj\ufffdk\ufffd:\ufffdU\ufffd\u0005\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8300, "service": "consul-server", "service_label_fr": "CONSUL SERVER" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\r\ufffd\ufffd\ufffd\/\u00f2c\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd!o0\u04f1c\ufffd9\ufffd\ufffd\ufffd \t>!aP\ufffd\ufffd[(\ufffdm\n\ufffd\ufffd8\ufffd\ufffd\ufffdj\ufffdk\ufffd:\ufffdU\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via CONSUL SERVER:8300 \u00b7 (sonde \/ probe)", "target_port_label": "8300 \u00b7 CONSUL SERVER", "emulator_service": "consul-server", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "consul-server", "service_label_fr": "CONSUL SERVER", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-consul-server", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\r\ufffd\ufffd\ufffd\/\u00f2c\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd!o0\u04f1c\ufffd9\ufffd\u001d\ufffd\ufffd \t>!aP\ufffd\ufffd[(\u0014\ufffdm\n\ufffd\ufffd8\ufffd\ufffd\ufffdj\ufffdk\ufffd:\ufffdU\ufffd\u0005\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8300, "service": "consul-server", "service_label_fr": "CONSUL SERVER" }, "attack_vector": "postgres probe \u00b7 via CONSUL SERVER:8300 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\r\ufffd\ufffd\ufffd\/\u00f2c\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd!o0\u04f1c\ufffd9\ufffd\ufffd\ufffd \t>!aP\ufffd\ufffd[(\ufffdm\n\ufffd\ufffd8\ufffd\ufffd\ufffdj\ufffdk\ufffd:\ufffdU\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8300 \u00b7 CONSUL SERVER", "emulator_service": "consul-server", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "consul_server", "service_banner": "honeypot-consul-server", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
15/06/2026 12:38:24 UTC	TCP	8300 · CONSUL SERVER	consul-server	Sonde PostgreSQL postgres probe · via CONSUL SERVER:8300 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur CONSUL-SERVER WAF — Recommandation Surveiller Tags net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8300 Chemin / cible — Service CONSUL SERVER Payload ��`Ԕ�3��M+�[��Z�1W#�/x�� ]\g[l�Dt�o \|0�˹�sϐK�pr�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��`Ԕ�3��M+�[��Z�1W#�/x�� ]\g[l�Dt�o \|0�˹�sϐK�pr�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��`Ԕ�3��M+�[��Z�1W#�/x�� ]\g[l�Dt�o \|0�˹�sϐK�pr�&�+�/�,�0̨̩� �� /5� w �+3&$ A��/�)��ٹ^E��q� ̀c Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.869744627982252, "port_category": "registered", "org": "Google LLC", "service": "consul-server", "app_proto": "consul-server", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "6fb1dcfb536ed06ac48a5f920174a63054f2ac14", "event_fingerprint": "e68037b92ba58b835ba3615b495a30586db90f6f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "consul-server", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ed27634f008cf646da96ab92f56d5d8b", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8300, "service": "consul-server", "service_name": "consul-server", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd`\u0514\ufffd3\ufffd\ufffd\ufffdM+\ufffd[\ufffd\u001c\u0019\ufffdZ\ufffd1W#\ufffd\/x\ufffd\ufffd\ufffd\u001d\ufffd \ufffd\ufffd]\\g[l\ufffdDt\ufffdo\n\|0\ufffd\u001a\u02f9\ufffds\u03d0K\ufffdpr\ufffd\u001d\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd`\u0514\ufffd3\ufffd\ufffd\ufffdM+\ufffd[\ufffd\u001c\u0019\ufffdZ\ufffd1W#\ufffd\/x\ufffd\ufffd\ufffd\u001d\ufffd \ufffd\ufffd]\\g[l\ufffdDt\ufffdo\n\|0\ufffd\u001a\u02f9\ufffds\u03d0K\ufffdpr\ufffd\u001d\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0017A\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\/\ufffd)\ufffd\ufffd\ufffd\u0679^E\ufffd\ufffd\ufffdq\u0006\ufffd \u0300c", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd`\u0514\ufffd3\ufffd\ufffd\ufffdM+\ufffd[\ufffd\u001c\u0019\ufffdZ\ufffd1W#\ufffd\/x\ufffd\ufffd\ufffd\u001d\ufffd \ufffd\ufffd]\\g[l\ufffdDt\ufffdo\n\|0\ufffd\u001a\u02f9\ufffds\u03d0K\ufffdpr\ufffd\u001d\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ba96e2e4d4610e59d2849a3f51dfcd4561ea98d2", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd`\u0514\ufffd3\ufffd\ufffd\ufffdM+\ufffd[\ufffd\u001c\u0019\ufffdZ\ufffd1W#\ufffd\/x\ufffd\ufffd\ufffd\u001d\ufffd \ufffd\ufffd]\\g[l\ufffdDt\ufffdo\n\|0\ufffd\u001a\u02f9\ufffds\u03d0K\ufffdpr\ufffd\u001d\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8300, "service": "consul-server", "service_label_fr": "CONSUL SERVER" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd`\u0514\ufffd3\ufffd\ufffd\ufffdM+\ufffd[\ufffd\ufffdZ\ufffd1W#\ufffd\/x\ufffd\ufffd\ufffd\ufffd \ufffd\ufffd]\\g[l\ufffdDt\ufffdo\n\|0\ufffd\u02f9\ufffds\u03d0K\ufffdpr\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via CONSUL SERVER:8300 \u00b7 (sonde \/ probe)", "target_port_label": "8300 \u00b7 CONSUL SERVER", "emulator_service": "consul-server", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "consul-server", "service_label_fr": "CONSUL SERVER", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-consul-server", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd`\u0514\ufffd3\ufffd\ufffd\ufffdM+\ufffd[\ufffd\u001c\u0019\ufffdZ\ufffd1W#\ufffd\/x\ufffd\ufffd\ufffd\u001d\ufffd \ufffd\ufffd]\\g[l\ufffdDt\ufffdo\n\|0\ufffd\u001a\u02f9\ufffds\u03d0K\ufffdpr\ufffd\u001d\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8300, "service": "consul-server", "service_label_fr": "CONSUL SERVER" }, "attack_vector": "postgres probe \u00b7 via CONSUL SERVER:8300 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd`\u0514\ufffd3\ufffd\ufffd\ufffdM+\ufffd[\ufffd\ufffdZ\ufffd1W#\ufffd\/x\ufffd\ufffd\ufffd\ufffd \ufffd\ufffd]\\g[l\ufffdDt\ufffdo\n\|0\ufffd\u02f9\ufffds\u03d0K\ufffdpr\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8300 \u00b7 CONSUL SERVER", "emulator_service": "consul-server", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "consul_server", "service_banner": "honeypot-consul-server", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
15/06/2026 12:38:24 UTC	TCP	8300 · CONSUL SERVER	consul-server	Sonde PostgreSQL postgres probe · via CONSUL SERVER:8300 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur CONSUL-SERVER WAF — Recommandation Surveiller Tags net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8300 Chemin / cible — Service CONSUL SERVER Payload ��=Q�ϊt��!RJ��#�{S"�X�[F (�`թ�;S'�Ϗ��9N�z+�X�̄�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��=Q�ϊt��!RJ��#�{S"�X�[F (�`թ�;S'�Ϗ��9N�z+�X�̄�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��=Q�ϊt��!RJ��#�{S"�X�[F (�`թ�;S'�Ϗ��9N�z+�X�̄�&�+�/�,�0̨̩� �� /5� w �+3&$ g��No>岴+�V�U��(��&q��U Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.851471523633888, "port_category": "registered", "org": "Google LLC", "service": "consul-server", "app_proto": "consul-server", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "6fb1dcfb536ed06ac48a5f920174a63054f2ac14", "event_fingerprint": "e68037b92ba58b835ba3615b495a30586db90f6f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "consul-server", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "6cf8c7ff40ca991dd6c57a36ae8b6104", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8300, "service": "consul-server", "service_name": "consul-server", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd=\u0016Q\ufffd\u03cat\ufffd\ufffd\ufffd\u0006\ufffd!RJ\ufffd\ufffd\ufffd#\u0015\ufffd{\u0004S\"\ufffdX\ufffd[F \u001d(\ufffd`\u0569\ufffd;S'\ufffd\u03cf\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u00079N\ufffdz+\ufffdX\ufffd\u0304\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd=\u0016Q\ufffd\u03cat\ufffd\ufffd\ufffd\u0006\ufffd!RJ\ufffd\ufffd\ufffd#\u0015\ufffd{\u0004S\"\ufffdX\ufffd[F \u001d(\ufffd`\u0569\ufffd;S'\ufffd\u03cf\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u00079N\ufffdz+\ufffdX\ufffd\u0304\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 g\ufffd\ufffd\ufffdNo>\u5cb4\u0004+\ufffdV\u001c\ufffd\u001fU\ufffd\ufffd\u0015\ufffd\ufffd(\ufffd\ufffd&q\ufffd\ufffdU", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd=\u0016Q\ufffd\u03cat\ufffd\ufffd\ufffd\u0006\ufffd!RJ\ufffd\ufffd\ufffd#\u0015\ufffd{\u0004S\"\ufffdX\ufffd[F \u001d(\ufffd`\u0569\ufffd;S'\ufffd\u03cf\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u00079N\ufffdz+\ufffdX\ufffd\u0304\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b060c3e4de9ea9dc3174cde443400f738871f4c7", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd=\u0016Q\ufffd\u03cat\ufffd\ufffd\ufffd\u0006\ufffd!RJ\ufffd\ufffd\ufffd#\u0015\ufffd{\u0004S\"\ufffdX\ufffd[F \u001d(\ufffd`\u0569\ufffd;S'\ufffd\u03cf\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u00079N\ufffdz+\ufffdX\ufffd\u0304\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8300, "service": "consul-server", "service_label_fr": "CONSUL SERVER" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd=Q\ufffd\u03cat\ufffd\ufffd\ufffd\ufffd!RJ\ufffd\ufffd\ufffd#\ufffd{S\"\ufffdX\ufffd[F (\ufffd`\u0569\ufffd;S'\ufffd\u03cf\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd9N\ufffdz+\ufffdX\ufffd\u0304\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via CONSUL SERVER:8300 \u00b7 (sonde \/ probe)", "target_port_label": "8300 \u00b7 CONSUL SERVER", "emulator_service": "consul-server", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "consul-server", "service_label_fr": "CONSUL SERVER", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-consul-server", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd=\u0016Q\ufffd\u03cat\ufffd\ufffd\ufffd\u0006\ufffd!RJ\ufffd\ufffd\ufffd#\u0015\ufffd{\u0004S\"\ufffdX\ufffd[F \u001d(\ufffd`\u0569\ufffd;S'\ufffd\u03cf\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u00079N\ufffdz+\ufffdX\ufffd\u0304\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8300, "service": "consul-server", "service_label_fr": "CONSUL SERVER" }, "attack_vector": "postgres probe \u00b7 via CONSUL SERVER:8300 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd=Q\ufffd\u03cat\ufffd\ufffd\ufffd\ufffd!RJ\ufffd\ufffd\ufffd#\ufffd{S\"\ufffdX\ufffd[F (\ufffd`\u0569\ufffd;S'\ufffd\u03cf\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd9N\ufffdz+\ufffdX\ufffd\u0304\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8300 \u00b7 CONSUL SERVER", "emulator_service": "consul-server", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "consul_server", "service_banner": "honeypot-consul-server", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
15/06/2026 12:38:24 UTC	TCP	8300 · CONSUL SERVER	consul-server	Sonde PostgreSQL postgres probe · via CONSUL SERVER:8300 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur CONSUL-SERVER WAF — Recommandation Surveiller Tags net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8300 Chemin / cible — Service CONSUL SERVER Payload ��5_��n)�E� ��UM��>��׀�L�� @ 0��1� ��<dFNe�c��m&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��5_��n)�E��UM��>��׀�L�� @ 0��1� ��<dFNe�c��m&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��5_��n)�E� ��UM��>��׀�L�� @ 0��1� ��<dFNe�c��m&�+�/�,�0̨̩� �� /5� w �+3&$ ��E�EW��>\ۺ@y�Gs�&'�Ӟ�/ Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.824756396913745, "port_category": "registered", "org": "Google LLC", "service": "consul-server", "app_proto": "consul-server", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "6fb1dcfb536ed06ac48a5f920174a63054f2ac14", "event_fingerprint": "e68037b92ba58b835ba3615b495a30586db90f6f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "consul-server", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "49a4e4ba8ea4ab9e62a12e8c1df3065d", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8300, "service": "consul-server", "service_name": "consul-server", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd5_\ufffd\ufffd\ufffdn)\ufffdE\ufffd\u000b\ufffd\ufffd\u0016\ufffdUM\ufffd\ufffd>\ufffd\ufffd\u05c0\ufffdL\ufffd\ufffd\ufffd\u0007 @\b\u0004\n0\ufffd\ufffd\ufffd\ufffd\ufffd1\ufffd\n\ufffd\u001d\ufffd\ufffd\ufffd<dFNe\ufffdc\ufffd\u0014\ufffd\ufffdm\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd5_\ufffd\ufffd\ufffdn)\ufffdE\ufffd\u000b\ufffd\ufffd\u0016\ufffdUM\ufffd\ufffd>\ufffd\ufffd\u05c0\ufffdL\ufffd\ufffd\ufffd\u0007 @\b\u0004\n0\ufffd\ufffd\ufffd\ufffd\ufffd1\ufffd\n\ufffd\u001d\ufffd\ufffd\ufffd<dFNe\ufffdc\ufffd\u0014\ufffd\ufffdm\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffd\ufffdE\ufffdEW\ufffd\ufffd\u000e\ufffd>\\\u06fa@y\ufffdG\u0010s\ufffd&'\u0000\ufffd\u04de\ufffd\/", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd5_\ufffd\ufffd\ufffdn)\ufffdE\ufffd\u000b\ufffd\ufffd\u0016\ufffdUM\ufffd\ufffd>\ufffd\ufffd\u05c0\ufffdL\ufffd\ufffd\ufffd\u0007 @\b\u0004\n0\ufffd\ufffd\ufffd\ufffd\ufffd1\ufffd\n\ufffd\u001d\ufffd\ufffd\ufffd<dFNe\ufffdc\ufffd\u0014\ufffd\ufffdm\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c1e111ddb58223aec15d0152907488d703b192bc", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd5_\ufffd\ufffd\ufffdn)\ufffdE\ufffd\u000b\ufffd\ufffd\u0016\ufffdUM\ufffd\ufffd>\ufffd\ufffd\u05c0\ufffdL\ufffd\ufffd\ufffd\u0007 @\b\u0004\n0\ufffd\ufffd\ufffd\ufffd\ufffd1\ufffd\n\ufffd\u001d\ufffd\ufffd\ufffd<dFNe\ufffdc\ufffd\u0014\ufffd\ufffdm\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8300, "service": "consul-server", "service_label_fr": "CONSUL SERVER" }, "evidence_snippet": "\ufffd\ufffd\ufffd5_\ufffd\ufffd\ufffdn)\ufffdE\ufffd\ufffd\ufffd\ufffdUM\ufffd\ufffd>\ufffd\ufffd\u05c0\ufffdL\ufffd\ufffd\ufffd @\n0\ufffd\ufffd\ufffd\ufffd\ufffd1\ufffd\n\ufffd\ufffd\ufffd\ufffd<dFNe\ufffdc\ufffd\ufffd\ufffdm&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via CONSUL SERVER:8300 \u00b7 (sonde \/ probe)", "target_port_label": "8300 \u00b7 CONSUL SERVER", "emulator_service": "consul-server", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "consul-server", "service_label_fr": "CONSUL SERVER", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-consul-server", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd5_\ufffd\ufffd\ufffdn)\ufffdE\ufffd\u000b\ufffd\ufffd\u0016\ufffdUM\ufffd\ufffd>\ufffd\ufffd\u05c0\ufffdL\ufffd\ufffd\ufffd\u0007 @\b\u0004\n0\ufffd\ufffd\ufffd\ufffd\ufffd1\ufffd\n\ufffd\u001d\ufffd\ufffd\ufffd<dFNe\ufffdc\ufffd\u0014\ufffd\ufffdm\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8300, "service": "consul-server", "service_label_fr": "CONSUL SERVER" }, "attack_vector": "postgres probe \u00b7 via CONSUL SERVER:8300 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd5_\ufffd\ufffd\ufffdn)\ufffdE\ufffd\ufffd\ufffd\ufffdUM\ufffd\ufffd>\ufffd\ufffd\u05c0\ufffdL\ufffd\ufffd\ufffd @\n0\ufffd\ufffd\ufffd\ufffd\ufffd1\ufffd\n\ufffd\ufffd\ufffd\ufffd<dFNe\ufffdc\ufffd\ufffd\ufffdm&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8300 \u00b7 CONSUL SERVER", "emulator_service": "consul-server", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "consul_server", "service_banner": "honeypot-consul-server", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
15/06/2026 12:38:24 UTC	TCP	8300 · HTTP	http	Flood / DDoS http flood · via HTTP:8300 · (tentative d'exploit) · → /api/settings.yml	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /api/settings.yml UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 23 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950600:k8s-api Cible HTTP GET /api/settings.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8300 Chemin / cible /api/settings.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/settings.yml HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3876.0 Safari/537.36 Règles WAF rce-0 nosqli-3 k8s-api Payload (extrait) GET /api/settings.yml HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, li Requête brute (extrait) GET /api/settings.yml HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3876.0 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "yml", "http_ua_hash": "32327fff8b51993e2a11eaa1f03a55f19f9a3e6a", "http_host_hash": "372950b7e517660af40b2015a2d8c9118c97a68c", "http_target_hash": "ca1a81175cd9e58e9e1d76706220c73a85edea6c", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 239, "payload_entropy": 5.416057141060479, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.8, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 6, "anomaly_count": 0, "campaign_key": "b889a93cf0fe7c55985f568e65814272605cb427", "event_fingerprint": "851a03555a2ed24d721235fddf3d633936340cfb", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "374e594fff7d90fcc3f4c27b624d5da4", "payload_hash": "2d318d7da39389fe18f6e93e509d8b53", "path_pattern_hash": "bf4cbe1c6a04f0ce19969bc5a096ab48" }, "target_context": { "dst_port": 8300, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/api\/settings.yml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "method": "GET", "path": "\/api\/settings.yml", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3876.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/settings.yml HTTP\/1.1", "request_sample": "GET \/api\/settings.yml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3876.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/settings.yml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "evidence": { "method": "GET", "path": "\/api\/settings.yml", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3876.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/settings.yml HTTP\/1.1", "request_sample": "GET \/api\/settings.yml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3876.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/settings.yml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "116271b2c8101e2eb3141ce1c745a30269fbfaa3", "protocol_details": { "http_method": "GET", "http_path": "\/api\/settings.yml", "request_line": "GET \/api\/settings.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3876.0 Safari\/537.36", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/api\/settings.yml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/settings.yml", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/api\/settings.yml", "request_line": "GET \/api\/settings.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3876.0 Safari\/537.36", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/settings.yml", "evidence_snippet": "GET \/api\/settings.yml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api", "http_probe_api", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:38:24 UTC	TCP	8300 · HTTP	http	Flood / DDoS http flood · via HTTP:8300 · (tentative d'exploit) · → /api-keys.json	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /api-keys.json UA Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /api-keys.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8300 Chemin / cible /api-keys.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api-keys.json HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /api-keys.json HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /api-keys.json HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "f6b14df20eb2e81066b12e1b70f1ed896fb62a52", "http_host_hash": "372950b7e517660af40b2015a2d8c9118c97a68c", "http_target_hash": "c66ed2cb2ee7945e15913f0f7ca32c846f13537b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 243, "payload_entropy": 5.4450312550241575, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "da0e92cd0ebb085b51990a0223f84b28a1dbd99e", "event_fingerprint": "4edb8884a03680150a9e3ff6a515067df7953e27", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "470f0c990fcda5e76243a30e4433da48", "payload_hash": "a75a59a41b45d335446774ea50507052", "path_pattern_hash": "015c5a8e5b64863b9df5b863319a5c2b" }, "target_context": { "dst_port": 8300, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/api-keys.json HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, ", "method": "GET", "path": "\/api-keys.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.108 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/api-keys.json HTTP\/1.1", "request_sample": "GET \/api-keys.json HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.108 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api-keys.json HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/api-keys.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.108 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/api-keys.json HTTP\/1.1", "request_sample": "GET \/api-keys.json HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.108 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api-keys.json HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fc32cb32762ed9a4e945b0bd45d82683a52354f7", "protocol_details": { "http_method": "GET", "http_path": "\/api-keys.json", "request_line": "GET \/api-keys.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.108 Safari\/537.36", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/api-keys.json HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,", "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api-keys.json", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/api-keys.json", "request_line": "GET \/api-keys.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.108 Safari\/537.36", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api-keys.json", "evidence_snippet": "GET \/api-keys.json HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:38:24 UTC	TCP	8300 · HTTP	http	Flood / DDoS http flood · via HTTP:8300 · (tentative d'exploit) · → /api_keys.json	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /api_keys.json UA Mozilla/5.0 (Linux; Android 9; CLT-L09) AppleWebKit/537.36 (KHT… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /api_keys.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8300 Chemin / cible /api_keys.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api_keys.json HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; CLT-L09) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /api_keys.json HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Linux; Android 9; CLT-L09) AppleWebKit/537.36 (KHTM Requête brute (extrait) GET /api_keys.json HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Linux; Android 9; CLT-L09) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "59fe7753801d9b0030bde7c6461fcc6a8be9f023", "http_host_hash": "372950b7e517660af40b2015a2d8c9118c97a68c", "http_target_hash": "3971e7314acad350173b94aed96196fdfff8d535", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 253, "payload_entropy": 5.4322959757508285, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "da0e92cd0ebb085b51990a0223f84b28a1dbd99e", "event_fingerprint": "526daa0c1d2899ebc052fbc5bcbaf21d436db66e", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6a9b3a0f1e02bf4f12d32a74f30f4489", "payload_hash": "60c4cbf9fd976a0ddadb79b1c8ac182f", "path_pattern_hash": "6a6e9ce9657aeba0082f546e97e5badf" }, "target_context": { "dst_port": 8300, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/api_keys.json HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-L09) AppleWebKit\/537.36 (KHTM", "method": "GET", "path": "\/api_keys.json", "user_agent": "Mozilla\/5.0 (Linux; Android 9; CLT-L09) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/api_keys.json HTTP\/1.1", "request_sample": "GET \/api_keys.json HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-L09) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api_keys.json HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-L09) AppleWebKit\/537.36 (KHTM", "evidence": { "method": "GET", "path": "\/api_keys.json", "user_agent": "Mozilla\/5.0 (Linux; Android 9; CLT-L09) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/api_keys.json HTTP\/1.1", "request_sample": "GET \/api_keys.json HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-L09) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api_keys.json HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-L09) AppleWebKit\/537.36 (KHTM", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "478621b9c108f07744e9f7e780f864e89d6eb501", "protocol_details": { "http_method": "GET", "http_path": "\/api_keys.json", "request_line": "GET \/api_keys.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; CLT-L09) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/api_keys.json HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-L09) AppleWebKit\/537.36 (KHTM", "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api_keys.json", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/api_keys.json", "request_line": "GET \/api_keys.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; CLT-L09) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api_keys.json", "evidence_snippet": "GET \/api_keys.json HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-L09) AppleWebKit\/537.36 (KHTM", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:38:24 UTC	TCP	8300 · HTTP	http	Flood / DDoS http flood · via HTTP:8300 · (tentative d'exploit) · → /private.json	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /private.json UA Mozilla/5.0 (Linux; Android 8.1.0; vivo 1802 Build/O11019; wv) … Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /private.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8300 Chemin / cible /private.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /private.json HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.1.0; vivo 1802 Build/O11019; wv) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36 VivoBrowser/5.8.0.10 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /private.json HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; vivo 1802 Build/O11019; wv) Ap Requête brute (extrait) GET /private.json HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; vivo 1802 Build/O11019; wv) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36 VivoBrowser/5.8.0.10 Accept-Charset: utf-8 Accep Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "915547fcc5e696789d649d2cafc71faeb847099b", "http_host_hash": "372950b7e517660af40b2015a2d8c9118c97a68c", "http_target_hash": "cba94a1b37f4bc1c6667e76235119ed3064bd656", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 295, "payload_entropy": 5.443453869769887, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "da0e92cd0ebb085b51990a0223f84b28a1dbd99e", "event_fingerprint": "213c1eb8b6285fafda4f4829e96ae4b86d51e6bb", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "8702e458ea5871d79ff9b7c48fa7d332", "payload_hash": "5a1d871eae1a450bdd27f1e8c900badd", "path_pattern_hash": "45bc7fdb4d234c918d3617f96e56d2a9" }, "target_context": { "dst_port": 8300, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/private.json HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; vivo 1802 Build\/O11019; wv) Ap", "method": "GET", "path": "\/private.json", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; vivo 1802 Build\/O11019; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.84 Mobile Safari\/537.36 VivoBrowser\/5.8.0.10", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/private.json HTTP\/1.1", "request_sample": "GET \/private.json HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; vivo 1802 Build\/O11019; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.84 Mobile Safari\/537.36 VivoBrowser\/5.8.0.10\r\nAccept-Charset: utf-8\r\nAccep", "payload_snippet": "GET \/private.json HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; vivo 1802 Build\/O11019; wv) Ap", "evidence": { "method": "GET", "path": "\/private.json", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; vivo 1802 Build\/O11019; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.84 Mobile Safari\/537.36 VivoBrowser\/5.8.0.10", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/private.json HTTP\/1.1", "request_sample": "GET \/private.json HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; vivo 1802 Build\/O11019; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.84 Mobile Safari\/537.36 VivoBrowser\/5.8.0.10\r\nAccept-Charset: utf-8\r\nAccep", "payload_snippet": "GET \/private.json HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; vivo 1802 Build\/O11019; wv) Ap", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2ff55d4e100f401a164de4f777ffcd03f319e66a", "protocol_details": { "http_method": "GET", "http_path": "\/private.json", "request_line": "GET \/private.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; vivo 1802 Build\/O11019; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.\u2026", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/private.json HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; vivo 1802 Build\/O11019; wv) Ap", "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/private.json", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/private.json", "request_line": "GET \/private.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; vivo 1802 Build\/O11019; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.\u2026", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/private.json", "evidence_snippet": "GET \/private.json HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; vivo 1802 Build\/O11019; wv) Ap", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:38:24 UTC	TCP	8300 · HTTP	http	Sonde fichier credential / clé credential file probe · via HTTP:8300 · (tentative d'exploit) · → /api/credentials.json	Élevée	Élevé · 71
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET /api/credentials.json UA Mozilla/5.0 (SMART-TV; X11; Linux armv7l) AppleWebkit/537.42 (K… Émulateur HTTP WAF 23 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950600:k8s-api Cible HTTP GET /api/credentials.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8300 Chemin / cible /api/credentials.json Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier credential/clé · Règle WAF « rce-0 » · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 71 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux pat-0472 Upstream Waf Score Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred Credentials JSON Ligne de requête `GET /api/credentials.json HTTP/1.1` User-Agent Mozilla/5.0 (SMART-TV; X11; Linux armv7l) AppleWebkit/537.42 (KHTML, like Gecko) Chromium/25.0.1349.2 Chrome/25.0.1349.2 Safari/537.42 Règles WAF rce-0 nosqli-3 k8s-api Payload (extrait) GET /api/credentials.json HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (SMART-TV; X11; Linux armv7l) AppleWebkit/537 Requête brute (extrait) GET /api/credentials.json HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (SMART-TV; X11; Linux armv7l) AppleWebkit/537.42 (KHTML, like Gecko) Chromium/25.0.1349.2 Chrome/25.0.1349.2 Safari/537.42 Accept-Charset: utf-8 Accept-Encoding: gzip Con Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "ac295833e861e41336cc6a78bae3e3d38557f557", "http_host_hash": "372950b7e517660af40b2015a2d8c9118c97a68c", "http_target_hash": "bd2b2e522575cf2b6a79434a45baa745a109b7fe", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 274, "payload_entropy": 5.479395525087797, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 100, "risk_classification": 82, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.8, "risk_breakdown": { "waf": 100, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 71, "tag_count": 6, "anomaly_count": 0, "campaign_key": "81d0d6c453f2ce86979e812d5fdc0a8ffa4361d8", "event_fingerprint": "1fe19cd78a6d73f643867bf715bc93070a836fbd", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0472", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "pat-0472", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0472" ], "matched_pattern_names": [ "Cred Credentials JSON" ], "pattern_ids": [ "pat-0472" ], "confidence_breakdown": { "waf": 100, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "lfi_attack", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "a8c2627984e0624773e0f0c1a9d592e8", "payload_hash": "6a87d28c305673de9a59673ed4672012", "path_pattern_hash": "324ca375a9560f0f0442f12c08f92527" }, "target_context": { "dst_port": 8300, "service": "http", "service_name": "http", "risk_score": 71 }, "payload_preview": "GET \/api\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (SMART-TV; X11; Linux armv7l) AppleWebkit\/537", "method": "GET", "path": "\/api\/credentials.json", "user_agent": "Mozilla\/5.0 (SMART-TV; X11; Linux armv7l) AppleWebkit\/537.42 (KHTML, like Gecko) Chromium\/25.0.1349.2 Chrome\/25.0.1349.2 Safari\/537.42", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/credentials.json HTTP\/1.1", "request_sample": "GET \/api\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (SMART-TV; X11; Linux armv7l) AppleWebkit\/537.42 (KHTML, like Gecko) Chromium\/25.0.1349.2 Chrome\/25.0.1349.2 Safari\/537.42\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCon", "payload_snippet": "GET \/api\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (SMART-TV; X11; Linux armv7l) AppleWebkit\/537", "evidence": { "method": "GET", "path": "\/api\/credentials.json", "user_agent": "Mozilla\/5.0 (SMART-TV; X11; Linux armv7l) AppleWebkit\/537.42 (KHTML, like Gecko) Chromium\/25.0.1349.2 Chrome\/25.0.1349.2 Safari\/537.42", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/credentials.json HTTP\/1.1", "request_sample": "GET \/api\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (SMART-TV; X11; Linux armv7l) AppleWebkit\/537.42 (KHTML, like Gecko) Chromium\/25.0.1349.2 Chrome\/25.0.1349.2 Safari\/537.42\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCon", "payload_snippet": "GET \/api\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (SMART-TV; X11; Linux armv7l) AppleWebkit\/537", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2053b59b33842569cb491c84e3f29bc65a6109b0", "protocol_details": { "http_method": "GET", "http_path": "\/api\/credentials.json", "request_line": "GET \/api\/credentials.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (SMART-TV; X11; Linux armv7l) AppleWebkit\/537.42 (KHTML, like Gecko) Chromium\/25.0.1349.2 Chrome\/25.0.1349.\u2026", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/api\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (SMART-TV; X11; Linux armv7l) AppleWebkit\/537", "attack_vector": "credential file probe \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/credentials.json", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 71, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "pat-0472", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "pat-0472", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/api\/credentials.json", "request_line": "GET \/api\/credentials.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (SMART-TV; X11; Linux armv7l) AppleWebkit\/537.42 (KHTML, like Gecko) Chromium\/25.0.1349.2 Chrome\/25.0.1349.\u2026", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "credential file probe \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/credentials.json", "evidence_snippet": "GET \/api\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (SMART-TV; X11; Linux armv7l) AppleWebkit\/537", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api", "http_probe_api", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:38:24 UTC	TCP	8300 · HTTP	http	Flood / DDoS http flood · via HTTP:8300 · (tentative d'exploit) · → /keys.json	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /keys.json UA Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, l… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /keys.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8300 Chemin / cible /keys.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /keys.json HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.36 Safari/535.7 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /keys.json HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like G Requête brute (extrait) GET /keys.json HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.36 Safari/535.7 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "b24db827597af76ea6b779c10780ee4368984ff6", "http_host_hash": "372950b7e517660af40b2015a2d8c9118c97a68c", "http_target_hash": "c3ac892564a71141581a4e5efe8d4174457be60d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 234, "payload_entropy": 5.4359883465898715, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "da0e92cd0ebb085b51990a0223f84b28a1dbd99e", "event_fingerprint": "a155c625f69468a889e703ab32785affdb6c8be1", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "5e3203e96f1bc67a5b39f6232a2ae0ab", "payload_hash": "ab3a911cbc9c8cc0586193d3135e590e", "path_pattern_hash": "ac1c8497c117520986c9f2f44ae6cfa7" }, "target_context": { "dst_port": 8300, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/keys.json HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/535.7 (KHTML, like G", "method": "GET", "path": "\/keys.json", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/535.7 (KHTML, like Gecko) Chrome\/16.0.912.36 Safari\/535.7", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/keys.json HTTP\/1.1", "request_sample": "GET \/keys.json HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/535.7 (KHTML, like Gecko) Chrome\/16.0.912.36 Safari\/535.7\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/keys.json HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/535.7 (KHTML, like G", "evidence": { "method": "GET", "path": "\/keys.json", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/535.7 (KHTML, like Gecko) Chrome\/16.0.912.36 Safari\/535.7", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/keys.json HTTP\/1.1", "request_sample": "GET \/keys.json HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/535.7 (KHTML, like Gecko) Chrome\/16.0.912.36 Safari\/535.7\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/keys.json HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/535.7 (KHTML, like G", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2cfdeb444679582ac83a974f5895cdbdfbb741d2", "protocol_details": { "http_method": "GET", "http_path": "\/keys.json", "request_line": "GET \/keys.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/535.7 (KHTML, like Gecko) Chrome\/16.0.912.36 Safari\/535.7", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/keys.json HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/535.7 (KHTML, like G", "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/keys.json", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/keys.json", "request_line": "GET \/keys.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/535.7 (KHTML, like Gecko) Chrome\/16.0.912.36 Safari\/535.7", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/keys.json", "evidence_snippet": "GET \/keys.json HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/535.7 (KHTML, like G", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:38:24 UTC	TCP	8300 · HTTP	http	Flood / DDoS http flood · via HTTP:8300 · (tentative d'exploit) · → /api/database.php	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /api/database.php UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 23 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950600:k8s-api Cible HTTP GET /api/database.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8300 Chemin / cible /api/database.php Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/database.php HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75 Safari/537.36 Règles WAF rce-0 nosqli-3 k8s-api Payload (extrait) GET /api/database.php HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, li Requête brute (extrait) GET /api/database.php HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "ea4fa585ac15d157c47f34ea7de09f788feba735", "http_host_hash": "372950b7e517660af40b2015a2d8c9118c97a68c", "http_target_hash": "3b0f704debd9557578c7b95595853680ba57e853", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 240, "payload_entropy": 5.422553310414059, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.8, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 6, "anomaly_count": 0, "campaign_key": "2d519118669b1a6e99cb8d07c3713de6c3f9370c", "event_fingerprint": "3a79854626a8cad2f99d277b6c5c483d79767f18", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d82cefaf22eda39f47cd4260363c44b1", "payload_hash": "cef089809e8a50b295c3d9b5d3d12790", "path_pattern_hash": "0e4dd4a2248d9ed0c82f50221193673a" }, "target_context": { "dst_port": 8300, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/api\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "method": "GET", "path": "\/api\/database.php", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.75 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/database.php HTTP\/1.1", "request_sample": "GET \/api\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.75 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "evidence": { "method": "GET", "path": "\/api\/database.php", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.75 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/database.php HTTP\/1.1", "request_sample": "GET \/api\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.75 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1d4de95136826bcfcbb1628da90bf090a44bd35a", "protocol_details": { "http_method": "GET", "http_path": "\/api\/database.php", "request_line": "GET \/api\/database.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.75 Safari\/537.36", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/api\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/database.php", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/api\/database.php", "request_line": "GET \/api\/database.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.75 Safari\/537.36", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/database.php", "evidence_snippet": "GET \/api\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api", "http_probe_api", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:38:24 UTC	TCP	8300 · HTTP	http	Flood / DDoS http flood · via HTTP:8300 · (tentative d'exploit) · → /api/config.yml	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /api/config.yml UA Mozilla/5.0 (Windows Phone 8.1; ARM; Trident/7.0; Touch; rv:11.… Émulateur HTTP WAF 23 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950600:k8s-api Cible HTTP GET /api/config.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8300 Chemin / cible /api/config.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/config.yml HTTP/1.1` User-Agent Mozilla/5.0 (Windows Phone 8.1; ARM; Trident/7.0; Touch; rv:11.0; IEMobile/11.0; NOKIA; Lumia 630) like Gecko Règles WAF rce-0 nosqli-3 k8s-api Payload (extrait) GET /api/config.yml HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Windows Phone 8.1; ARM; Trident/7.0; Touch; rv:11. Requête brute (extrait) GET /api/config.yml HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Windows Phone 8.1; ARM; Trident/7.0; Touch; rv:11.0; IEMobile/11.0; NOKIA; Lumia 630) like Gecko Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "yml", "http_ua_hash": "8c32d04d9f70ec5117f801e0a276d06dd05dc6ea", "http_host_hash": "372950b7e517660af40b2015a2d8c9118c97a68c", "http_target_hash": "4744e451f0e5837e40fea15eeae656c670359c61", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 243, "payload_entropy": 5.355124800897612, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.8, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 6, "anomaly_count": 0, "campaign_key": "b889a93cf0fe7c55985f568e65814272605cb427", "event_fingerprint": "550843e823ccbca0867642f21f310d5f43fdf774", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58530c49dfeebde0dd3f1821d569b478", "payload_hash": "63566c7f4515d04b061d4bd87ac1bd97", "path_pattern_hash": "1d6a542ea609410a54ba728eccda5c8b" }, "target_context": { "dst_port": 8300, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/api\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows Phone 8.1; ARM; Trident\/7.0; Touch; rv:11.", "method": "GET", "path": "\/api\/config.yml", "user_agent": "Mozilla\/5.0 (Windows Phone 8.1; ARM; Trident\/7.0; Touch; rv:11.0; IEMobile\/11.0; NOKIA; Lumia 630) like Gecko", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/config.yml HTTP\/1.1", "request_sample": "GET \/api\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows Phone 8.1; ARM; Trident\/7.0; Touch; rv:11.0; IEMobile\/11.0; NOKIA; Lumia 630) like Gecko\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows Phone 8.1; ARM; Trident\/7.0; Touch; rv:11.", "evidence": { "method": "GET", "path": "\/api\/config.yml", "user_agent": "Mozilla\/5.0 (Windows Phone 8.1; ARM; Trident\/7.0; Touch; rv:11.0; IEMobile\/11.0; NOKIA; Lumia 630) like Gecko", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/config.yml HTTP\/1.1", "request_sample": "GET \/api\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows Phone 8.1; ARM; Trident\/7.0; Touch; rv:11.0; IEMobile\/11.0; NOKIA; Lumia 630) like Gecko\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows Phone 8.1; ARM; Trident\/7.0; Touch; rv:11.", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f7b9775db788a7385c447c65fcc321bd5b817de6", "protocol_details": { "http_method": "GET", "http_path": "\/api\/config.yml", "request_line": "GET \/api\/config.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows Phone 8.1; ARM; Trident\/7.0; Touch; rv:11.0; IEMobile\/11.0; NOKIA; Lumia 630) like Gecko", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/api\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows Phone 8.1; ARM; Trident\/7.0; Touch; rv:11.", "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/config.yml", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/api\/config.yml", "request_line": "GET \/api\/config.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows Phone 8.1; ARM; Trident\/7.0; Touch; rv:11.0; IEMobile\/11.0; NOKIA; Lumia 630) like Gecko", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/config.yml", "evidence_snippet": "GET \/api\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Windows Phone 8.1; ARM; Trident\/7.0; Touch; rv:11.", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api", "http_probe_api", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:38:24 UTC	TCP	8300 · HTTP	http	Flood / DDoS http flood · via HTTP:8300 · (tentative d'exploit) · → /api/appsettings.json	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /api/appsettings.json UA Mozilla/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build/… Émulateur HTTP WAF 23 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950600:k8s-api Cible HTTP GET /api/appsettings.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8300 Chemin / cible /api/appsettings.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred ASP.NET settings Ligne de requête `GET /api/appsettings.json HTTP/1.1` User-Agent Mozilla/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build/GRJ22) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Règles WAF rce-0 nosqli-3 k8s-api Payload (extrait) GET /api/appsettings.json HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Requête brute (extrait) GET /api/appsettings.json HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build/GRJ22) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Accept-Charset: utf-8 Accept-Encoding: gz Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "d7c60473ca507d0f267a16bb2c90d1bcbbc70259", "http_host_hash": "372950b7e517660af40b2015a2d8c9118c97a68c", "http_target_hash": "16223ed774af363bfa3a19e07c4401628555ae7f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 281, "payload_entropy": 5.396256449671361, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.8, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 6, "anomaly_count": 0, "campaign_key": "b889a93cf0fe7c55985f568e65814272605cb427", "event_fingerprint": "2d993d409b470a2f05c85831a1bf6a753a709eda", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0466" ], "matched_pattern_names": [ "Cred ASP.NET settings" ], "pattern_ids": [ "pat-0466" ], "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1104c74dd435280ff2b2099a808bc6c8", "payload_hash": "3f7216375e8fa39e050d8cd65727eadf", "path_pattern_hash": "9a59da8a4826d25b327ad6f6ccd7a0fe" }, "target_context": { "dst_port": 8300, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/api\/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II ", "method": "GET", "path": "\/api\/appsettings.json", "user_agent": "Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build\/GRJ22) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/534.30", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/appsettings.json HTTP\/1.1", "request_sample": "GET \/api\/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build\/GRJ22) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/534.30\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gz", "payload_snippet": "GET \/api\/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II", "evidence": { "method": "GET", "path": "\/api\/appsettings.json", "user_agent": "Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build\/GRJ22) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/534.30", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/appsettings.json HTTP\/1.1", "request_sample": "GET \/api\/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build\/GRJ22) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/534.30\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gz", "payload_snippet": "GET \/api\/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3d553683ba4a331c2405f009edbb52ccb3f528f2", "protocol_details": { "http_method": "GET", "http_path": "\/api\/appsettings.json", "request_line": "GET \/api\/appsettings.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build\/GRJ22) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.\u2026", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/api\/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II", "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/appsettings.json", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/api\/appsettings.json", "request_line": "GET \/api\/appsettings.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build\/GRJ22) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.\u2026", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/appsettings.json", "evidence_snippet": "GET \/api\/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api", "http_probe_api", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:38:24 UTC	TCP	8300 · HTTP	http	Flood / DDoS http flood · via HTTP:8300 · (tentative d'exploit) · → /api_keys.yml	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /api_keys.yml UA Mozilla/5.0 (iPad; CPU OS 7_0 like Mac OS X) AppleWebKit/537.51… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /api_keys.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8300 Chemin / cible /api_keys.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api_keys.yml HTTP/1.1` User-Agent Mozilla/5.0 (iPad; CPU OS 7_0 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) CriOS/30.0.1599.12 Mobile/11A465 Safari/8536.25 (3B92C18B-D9DE-4CB7-A02A-22FD2AF17C8F) Règles WAF rce-0 nosqli-3 Payload (extrait) GET /api_keys.yml HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0 like Mac OS X) AppleWebKit/537.51.1 Requête brute (extrait) GET /api_keys.yml HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) CriOS/30.0.1599.12 Mobile/11A465 Safari/8536.25 (3B92C18B-D9DE-4CB7-A02A-22FD2AF17C8F) Accept-Charset: utf Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "b106e456fed5e0a352d2e2c10ff817b0dcc0082a", "http_host_hash": "372950b7e517660af40b2015a2d8c9118c97a68c", "http_target_hash": "b1b0ece8c60b688b45eb0e1d24e20b9eba285b7f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 304, "payload_entropy": 5.558972281091779, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "da0e92cd0ebb085b51990a0223f84b28a1dbd99e", "event_fingerprint": "a9b2ad307f6b4650325b14810c1ad1c6b2d2b193", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "64e3bc3aeae4f0a3384ff870ba57f316", "payload_hash": "71630ae8eac07998b0bf38a98d738214", "path_pattern_hash": "5ca9a05c1d66736244e2d5f5eca525aa" }, "target_context": { "dst_port": 8300, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/api_keys.yml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 7_0 like Mac OS X) AppleWebKit\/537.51.1", "method": "GET", "path": "\/api_keys.yml", "user_agent": "Mozilla\/5.0 (iPad; CPU OS 7_0 like Mac OS X) AppleWebKit\/537.51.1 (KHTML, like Gecko) CriOS\/30.0.1599.12 Mobile\/11A465 Safari\/8536.25 (3B92C18B-D9DE-4CB7-A02A-22FD2AF17C8F)", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/api_keys.yml HTTP\/1.1", "request_sample": "GET \/api_keys.yml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 7_0 like Mac OS X) AppleWebKit\/537.51.1 (KHTML, like Gecko) CriOS\/30.0.1599.12 Mobile\/11A465 Safari\/8536.25 (3B92C18B-D9DE-4CB7-A02A-22FD2AF17C8F)\r\nAccept-Charset: utf", "payload_snippet": "GET \/api_keys.yml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 7_0 like Mac OS X) AppleWebKit\/537.51.1", "evidence": { "method": "GET", "path": "\/api_keys.yml", "user_agent": "Mozilla\/5.0 (iPad; CPU OS 7_0 like Mac OS X) AppleWebKit\/537.51.1 (KHTML, like Gecko) CriOS\/30.0.1599.12 Mobile\/11A465 Safari\/8536.25 (3B92C18B-D9DE-4CB7-A02A-22FD2AF17C8F)", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/api_keys.yml HTTP\/1.1", "request_sample": "GET \/api_keys.yml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 7_0 like Mac OS X) AppleWebKit\/537.51.1 (KHTML, like Gecko) CriOS\/30.0.1599.12 Mobile\/11A465 Safari\/8536.25 (3B92C18B-D9DE-4CB7-A02A-22FD2AF17C8F)\r\nAccept-Charset: utf", "payload_snippet": "GET \/api_keys.yml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 7_0 like Mac OS X) AppleWebKit\/537.51.1", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b54113ab5653a07ebee18cb291e542e2f5c99848", "protocol_details": { "http_method": "GET", "http_path": "\/api_keys.yml", "request_line": "GET \/api_keys.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPad; CPU OS 7_0 like Mac OS X) AppleWebKit\/537.51.1 (KHTML, like Gecko) CriOS\/30.0.1599.12 Mobile\/11A465 \u2026", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/api_keys.yml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 7_0 like Mac OS X) AppleWebKit\/537.51.1", "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api_keys.yml", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/api_keys.yml", "request_line": "GET \/api_keys.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPad; CPU OS 7_0 like Mac OS X) AppleWebKit\/537.51.1 (KHTML, like Gecko) CriOS\/30.0.1599.12 Mobile\/11A465 \u2026", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api_keys.yml", "evidence_snippet": "GET \/api_keys.yml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 7_0 like Mac OS X) AppleWebKit\/537.51.1", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:38:24 UTC	TCP	8300 · HTTP	http	Flood / DDoS http flood · via HTTP:8300 · (tentative d'exploit) · → /api/application.yml	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /api/application.yml UA Mozilla/5.0 (Linux; Android 8.0.0; BLA-L29) AppleWebKit/537.36 … Émulateur HTTP WAF 23 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950600:k8s-api Cible HTTP GET /api/application.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8300 Chemin / cible /api/application.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/application.yml HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.0.0; BLA-L29) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 k8s-api Payload (extrait) GET /api/application.yml HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; BLA-L29) AppleWebKit/53 Requête brute (extrait) GET /api/application.yml HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; BLA-L29) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: cl Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "yml", "http_ua_hash": "c22b811f6079d1008094695c3038cc31be7f2962", "http_host_hash": "372950b7e517660af40b2015a2d8c9118c97a68c", "http_target_hash": "eaa807d97ed075164ad06a16fff4f79030561dd8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 263, "payload_entropy": 5.398118300497796, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8300, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.8, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 6, "anomaly_count": 0, "campaign_key": "b889a93cf0fe7c55985f568e65814272605cb427", "event_fingerprint": "cbe083cc40f4f9537edd1976a890e5b56866b824", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "4cd92407b05ac14d5924946547680140", "payload_hash": "12a35b49d5cefe9b0da4d2b79a7db05d", "path_pattern_hash": "f35df1fc019a96ac8898ec6340239854" }, "target_context": { "dst_port": 8300, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/api\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; BLA-L29) AppleWebKit\/53", "method": "GET", "path": "\/api\/application.yml", "user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; BLA-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/application.yml HTTP\/1.1", "request_sample": "GET \/api\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; BLA-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl", "payload_snippet": "GET \/api\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; BLA-L29) AppleWebKit\/53", "evidence": { "method": "GET", "path": "\/api\/application.yml", "user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; BLA-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/application.yml HTTP\/1.1", "request_sample": "GET \/api\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; BLA-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl", "payload_snippet": "GET \/api\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; BLA-L29) AppleWebKit\/53", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5c937a0d934080a8088d75825705c9fc80772f0a", "protocol_details": { "http_method": "GET", "http_path": "\/api\/application.yml", "request_line": "GET \/api\/application.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; BLA-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/5\u2026", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/api\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; BLA-L29) AppleWebKit\/53", "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/application.yml", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/api\/application.yml", "request_line": "GET \/api\/application.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; BLA-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/5\u2026", "port": 8300, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8300 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/application.yml", "evidence_snippet": "GET \/api\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; BLA-L29) AppleWebKit\/53", "target_port_label": "8300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "consul-server", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api", "http_probe_api", "net_flood" ], "asn_dc_heuristic": true }

34.128.115.115

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence