Renseignement sur les menaces

Indonésie

34.128.115.255

FAI Google LLC Première vue 15/06/2026 11:54 UTC Dernière vue 15/06/2026 11:54 UTC Risque Élevé

Période analysée : 2026-06-11 → 2026-06-18

Activité suspecte — risque 62/100 (Moyen) — MITRE T1499 — confiance 100 % — via HTTP — multi-protocole (2 protocoles · 5 min)

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Élevé · Risque max (7j) Élevé

Synthèse exécutive

Profil de menace

Score de risque 68/100 Élevé

Première observation 15/06/2026 11:54 UTC

Dernière observation 15/06/2026 11:54 UTC

Événements (période) 854

MITRE ATT&CK principal TA0007 432 occurrences

Activité suspecte — risque 62/100 (Moyen) — MITRE T1499 — confiance 100 % — via HTTP — multi-protocole (2 protocoles · 5 min)

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « http_flood » (signaux protocolaires) · confiance 100%

Confiance 100 % — Score WAF 84 · Bonus corrélation +8 · 3 tag(s) WAF

Comparaison ASN / FAI

ASN 396982 · 34.128.0.0/17 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 854 événements sur la période pour cette IP.

147.185.133.223 Scanner web 18/06/2026 21:18 UTC
147.185.132.92 Scanner web 18/06/2026 21:18 UTC
147.185.132.158 Scanner web 18/06/2026 21:18 UTC
35.203.211.176 Scanner web 18/06/2026 21:18 UTC
35.203.211.238 Scanner web 18/06/2026 21:18 UTC
198.235.24.102 bgp 18/06/2026 21:18 UTC
147.185.133.238 Scanner web 18/06/2026 21:18 UTC
35.203.211.9 Scanner web 18/06/2026 21:18 UTC

Événements (filtres)

854

Première observation

15/06/2026 11:54 UTC

Dernière observation

15/06/2026 11:54 UTC

Dernière activité (filtres)

15/06/2026 11:54 UTC

Événements 7j

854

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 427 TLS TCP 427

HTTP

427

TLS

427

Géolocalisation

Origine réseau déclarée

Indonésie unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Google LLC 0 Port 8220 postgres_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Tentative d'exploit

Chaîne d'attaque

Exploitation

Vecteur d'attaque

http flood · via HTTP:8220 · (tentative d'exploit) · → /config/sendgrid.php

Détails protocole

Méthode: GET
Chemin: /config/sendgrid.php
User-Agent: Mozilla/5.0 (Linux; Android 7.1.1; Z971) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89…

Aperçu payload

GET /config/sendgrid.php HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Linux; Android 7.1.1; Z971) AppleWebKit/537.3

Port / service

8220 · HTTP

Service émulé

HTTP

Raison confiance

Confiance 100 % — 3 tag(s) WAF

Technique MITRE

T1499

Persona capteur

mail.sensor-1.internal

Corrélations comportementales

Multi-protocole corrélé (5 min)

Recommandation

Investiguer

Rôle capteur

Renseignement menaces

Signaux de précision

MITRE-T1499 Upstream Waf Score

Confiance

100% Corrélation +8

Famille de menace

ddos

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

854 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

854 événement(s) — page 3/18

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
15/06/2026 11:54:43 UTC	TCP	8220 · HTTP	http	Flood / DDoS http flood · via HTTP:8220 · (tentative d'exploit) · → /private_key.pem	Élevée	Moyen · 53
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /private_key.pem UA Mozilla/5.0 (Linux; Android 8.1.0; Redmi 6) AppleWebKit/537.36 … Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_sensitive_path net_flood Cible HTTP GET /private_key.pem TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /private_key.pem Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 53 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /private_key.pem HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.1.0; Redmi 6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.99 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /private_key.pem HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; Redmi 6) AppleWebKit/537.36 Requête brute (extrait) GET /private_key.pem HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; Redmi 6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.99 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "pem", "http_ua_hash": "6fd06e6e09468f8e8e384343a345edf31007b99c", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "0f51bc792d6f938bb82ea19d1935c3464eb59ea8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 258, "payload_entropy": 5.430654809080478, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.2, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 53, "tag_count": 4, "anomaly_count": 0, "campaign_key": "3a07fa47fa3f219144e1cc5995f0db65a3e1cd12", "event_fingerprint": "73de3bff0bcb4f8c0d36f4e6717cefa9ee4efde9", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 53, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "77f79de387d009e7a4290247b156d661", "payload_hash": "5d0410d0bbc999b2dda7fe8823bbd57f", "path_pattern_hash": "fb2942fad108fb946e981f9671efa9dc" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 53 }, "payload_preview": "GET \/private_key.pem HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 6) AppleWebKit\/537.36", "method": "GET", "path": "\/private_key.pem", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.99 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/private_key.pem HTTP\/1.1", "request_sample": "GET \/private_key.pem HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.99 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/private_key.pem HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 6) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/private_key.pem", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.99 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/private_key.pem HTTP\/1.1", "request_sample": "GET \/private_key.pem HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.99 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/private_key.pem HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 6) AppleWebKit\/537.36", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3a4be7b03bd427233cdf76e04e313c928492e30f", "protocol_details": { "http_method": "GET", "http_path": "\/private_key.pem", "request_line": "GET \/private_key.pem HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.99 Mobile Safari\/53\u2026", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/private_key.pem HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 6) AppleWebKit\/537.36", "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/private_key.pem", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 53, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 53, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/private_key.pem", "request_line": "GET \/private_key.pem HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.99 Mobile Safari\/53\u2026", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/private_key.pem", "evidence_snippet": "GET \/private_key.pem HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 6) AppleWebKit\/537.36", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:43 UTC	TCP	8220 · HTTP	http	Flood / DDoS http flood · via HTTP:8220 · (tentative d'exploit) · → /sendgrid.py	Élevée	Moyen · 53
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid.py UA Mozilla/5.0 (Linux; Android 9; SAMSUNG SM-G955F Build/PPR1.1806… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /sendgrid.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 53 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid.py HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; SAMSUNG SM-G955F Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/9.4 Chrome/67.0.3396.87 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid.py HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Linux; Android 9; SAMSUNG SM-G955F Build/PPR1.180610. Requête brute (extrait) GET /sendgrid.py HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Linux; Android 9; SAMSUNG SM-G955F Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/9.4 Chrome/67.0.3396.87 Mobile Safari/537.36 Accept-Charset: utf-8 Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "py", "http_ua_hash": "1014a6231b008e6c8586be554fffa48f7623b8af", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "0e3f38ff7e509e55407449d72c93d40ab0729e93", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 300, "payload_entropy": 5.538811335062463, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 53, "tag_count": 3, "anomaly_count": 0, "campaign_key": "f39dd65a535047fd3b661597b27e5ec3d606ffba", "event_fingerprint": "2135cf680288887b154b00306ac4e291aa55e874", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 53, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "5b6124fc391b05135bc5ebea946869c2", "payload_hash": "93e7e9490d2d9bc7960c84be0333c550", "path_pattern_hash": "5599d311df7384f76edaf185f5d025e3" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 53 }, "payload_preview": "GET \/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G955F Build\/PPR1.180610.", "method": "GET", "path": "\/sendgrid.py", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G955F Build\/PPR1.180610.011) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBrowser\/9.4 Chrome\/67.0.3396.87 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.py HTTP\/1.1", "request_sample": "GET \/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G955F Build\/PPR1.180610.011) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBrowser\/9.4 Chrome\/67.0.3396.87 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\n", "payload_snippet": "GET \/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G955F Build\/PPR1.180610.", "evidence": { "method": "GET", "path": "\/sendgrid.py", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G955F Build\/PPR1.180610.011) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBrowser\/9.4 Chrome\/67.0.3396.87 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.py HTTP\/1.1", "request_sample": "GET \/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G955F Build\/PPR1.180610.011) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBrowser\/9.4 Chrome\/67.0.3396.87 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\n", "payload_snippet": "GET \/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G955F Build\/PPR1.180610.", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ba5fc7a2f48a90a3d6b67cb88335aecabbb34a37", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.py", "request_line": "GET \/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G955F Build\/PPR1.180610.011) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBr\u2026", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G955F Build\/PPR1.180610.", "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.py", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 53, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 53, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.py", "request_line": "GET \/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G955F Build\/PPR1.180610.011) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBr\u2026", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.py", "evidence_snippet": "GET \/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G955F Build\/PPR1.180610.", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:43 UTC	TCP	8220 · HTTP	http	Flood / DDoS http flood · via HTTP:8220 · (tentative d'exploit) · → /sendgrid.min.js	Élevée	Moyen · 53
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid.min.js UA Konqueror/3.0-rc4; (Konqueror/3.0-rc4; i686 Linux;;datecode) Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid.min.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /sendgrid.min.js Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 53 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid.min.js HTTP/1.1` User-Agent Konqueror/3.0-rc4; (Konqueror/3.0-rc4; i686 Linux;;datecode) Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid.min.js HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Konqueror/3.0-rc4; (Konqueror/3.0-rc4; i686 Linux;;datecode) Requête brute (extrait) GET /sendgrid.min.js HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Konqueror/3.0-rc4; (Konqueror/3.0-rc4; i686 Linux;;datecode) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "js", "http_ua_hash": "4ed0d63bf1d6ec6fd866594fd70daab7ecc11510", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "c3c746112c0f0239b9db723ddc097884068a0409", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 195, "payload_entropy": 5.194546467537764, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 53, "tag_count": 3, "anomaly_count": 0, "campaign_key": "f39dd65a535047fd3b661597b27e5ec3d606ffba", "event_fingerprint": "893353d2f690ce663e8ca9671c457de18a3e5549", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 53, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d52223bb5389281eb4cd370e619fa65d", "payload_hash": "c359b91792b835e73606b15b2d8da345", "path_pattern_hash": "eedccc9bc850fd543465f59f02102b9c" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 53 }, "payload_preview": "GET \/sendgrid.min.js HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Konqueror\/3.0-rc4; (Konqueror\/3.0-rc4; i686 Linux;;datecode)\r\n", "method": "GET", "path": "\/sendgrid.min.js", "user_agent": "Konqueror\/3.0-rc4; (Konqueror\/3.0-rc4; i686 Linux;;datecode)", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.min.js HTTP\/1.1", "request_sample": "GET \/sendgrid.min.js HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Konqueror\/3.0-rc4; (Konqueror\/3.0-rc4; i686 Linux;;datecode)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.min.js HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Konqueror\/3.0-rc4; (Konqueror\/3.0-rc4; i686 Linux;;datecode)", "evidence": { "method": "GET", "path": "\/sendgrid.min.js", "user_agent": "Konqueror\/3.0-rc4; (Konqueror\/3.0-rc4; i686 Linux;;datecode)", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.min.js HTTP\/1.1", "request_sample": "GET \/sendgrid.min.js HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Konqueror\/3.0-rc4; (Konqueror\/3.0-rc4; i686 Linux;;datecode)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.min.js HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Konqueror\/3.0-rc4; (Konqueror\/3.0-rc4; i686 Linux;;datecode)", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ead428860909b6013cd5c61e5e781e223d783ddd", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.min.js", "request_line": "GET \/sendgrid.min.js HTTP\/1.1", "http_user_agent": "Konqueror\/3.0-rc4; (Konqueror\/3.0-rc4; i686 Linux;;datecode)", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid.min.js HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Konqueror\/3.0-rc4; (Konqueror\/3.0-rc4; i686 Linux;;datecode)", "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.min.js", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 53, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 53, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.min.js", "request_line": "GET \/sendgrid.min.js HTTP\/1.1", "http_user_agent": "Konqueror\/3.0-rc4; (Konqueror\/3.0-rc4; i686 Linux;;datecode)", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.min.js", "evidence_snippet": "GET \/sendgrid.min.js HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Konqueror\/3.0-rc4; (Konqueror\/3.0-rc4; i686 Linux;;datecode)", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:43 UTC	TCP	8220 · HTTP	http	Flood / DDoS http flood · via HTTP:8220 · (tentative d'exploit) · → /backend/sendgrid.py	Élevée	Moyen · 61
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /backend/sendgrid.py UA Mozilla/5.0 (compatible; Konqueror/4.1; OpenBSD) KHTML/4.1.4 (l… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /backend/sendgrid.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /backend/sendgrid.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 61 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /backend/sendgrid.py HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Konqueror/4.1; OpenBSD) KHTML/4.1.4 (like Gecko) Règles WAF rce-0 nosqli-3 Payload (extrait) GET /backend/sendgrid.py HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (compatible; Konqueror/4.1; OpenBSD) KHTML/4.1 Requête brute (extrait) GET /backend/sendgrid.py HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (compatible; Konqueror/4.1; OpenBSD) KHTML/4.1.4 (like Gecko) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "py", "http_ua_hash": "83c0e32e69eba9274f9e92d080df837bf356678e", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "9b3b3fd51ae018208ce4d96cbad2187f4475e746", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 212, "payload_entropy": 5.3638036365495765, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.2, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 61, "tag_count": 4, "anomaly_count": 0, "campaign_key": "b71a3640df738d3e2ffb392f73ae06414f4a9a0b", "event_fingerprint": "c9dc153968420268961488bc570c0832e260ce2a", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 61, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0679f15f42978304c84c40c87099f482", "payload_hash": "33e5226221e4a2b8dab0f84efb54ba18", "path_pattern_hash": "ecf29d1ed95b1fd215637cce0a9e7303" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 61 }, "payload_preview": "GET \/backend\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.1; OpenBSD) KHTML\/4.1", "method": "GET", "path": "\/backend\/sendgrid.py", "user_agent": "Mozilla\/5.0 (compatible; Konqueror\/4.1; OpenBSD) KHTML\/4.1.4 (like Gecko)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/backend\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/backend\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.1; OpenBSD) KHTML\/4.1.4 (like Gecko)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.1; OpenBSD) KHTML\/4.1", "evidence": { "method": "GET", "path": "\/backend\/sendgrid.py", "user_agent": "Mozilla\/5.0 (compatible; Konqueror\/4.1; OpenBSD) KHTML\/4.1.4 (like Gecko)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/backend\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/backend\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.1; OpenBSD) KHTML\/4.1.4 (like Gecko)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.1; OpenBSD) KHTML\/4.1", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "76d407f5ed87d5b4e3108b4e0bd619aa0206cf79", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/sendgrid.py", "request_line": "GET \/backend\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Konqueror\/4.1; OpenBSD) KHTML\/4.1.4 (like Gecko)", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/backend\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.1; OpenBSD) KHTML\/4.1", "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/sendgrid.py", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 61, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 61, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/sendgrid.py", "request_line": "GET \/backend\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Konqueror\/4.1; OpenBSD) KHTML\/4.1.4 (like Gecko)", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/sendgrid.py", "evidence_snippet": "GET \/backend\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.1; OpenBSD) KHTML\/4.1", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:43 UTC	TCP	8220 · HTTP	http	Flood / DDoS http flood · via HTTP:8220 · (tentative d'exploit) · → /config/sendgrid.js	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /config/sendgrid.js UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:35.0) Gecko/201… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/sendgrid.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /config/sendgrid.js Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/sendgrid.js HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:35.0) Gecko/20100101 Firefox/35.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/sendgrid.js HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:35.0) Gecko Requête brute (extrait) GET /config/sendgrid.js HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:35.0) Gecko/20100101 Firefox/35.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "js", "http_ua_hash": "ee07d6b8c3cf2d47d68e70f53e489193ac7bc502", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "dfc017b1f5d967c2ea8d62566bf7510e84bb5637", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 219, "payload_entropy": 5.264249512819615, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 62, "tag_count": 5, "anomaly_count": 0, "campaign_key": "1b39a110037ca7732715af5c891f8bef8a3aa087", "event_fingerprint": "bfb0c99f5ba7ba629a2ab217a44d6a1c45ec27ba", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f1ef735f0b99a0e9ca7165dd8ed04f10", "payload_hash": "293882c12b7889e99d008529a141332f", "path_pattern_hash": "cf64c655ed198e8031863155489c92f2" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/config\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.9; rv:35.0) Gecko", "method": "GET", "path": "\/config\/sendgrid.js", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.9; rv:35.0) Gecko\/20100101 Firefox\/35.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/sendgrid.js HTTP\/1.1", "request_sample": "GET \/config\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.9; rv:35.0) Gecko\/20100101 Firefox\/35.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.9; rv:35.0) Gecko", "evidence": { "method": "GET", "path": "\/config\/sendgrid.js", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.9; rv:35.0) Gecko\/20100101 Firefox\/35.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/sendgrid.js HTTP\/1.1", "request_sample": "GET \/config\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.9; rv:35.0) Gecko\/20100101 Firefox\/35.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.9; rv:35.0) Gecko", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c92c65963cda6582b0eb2e4c3cf224c5b7ff6558", "protocol_details": { "http_method": "GET", "http_path": "\/config\/sendgrid.js", "request_line": "GET \/config\/sendgrid.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.9; rv:35.0) Gecko\/20100101 Firefox\/35.0", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.9; rv:35.0) Gecko", "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/sendgrid.js", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/sendgrid.js", "request_line": "GET \/config\/sendgrid.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.9; rv:35.0) Gecko\/20100101 Firefox\/35.0", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/sendgrid.js", "evidence_snippet": "GET \/config\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.9; rv:35.0) Gecko", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:43 UTC	TCP	8220 · HTTP	http	Flood / DDoS http flood · via HTTP:8220 · (tentative d'exploit) · → /app/sendgrid.py	Élevée	Moyen · 61
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /app/sendgrid.py UA Mozilla/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit/604.1… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /app/sendgrid.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /app/sendgrid.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 61 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/sendgrid.py HTTP/1.1` User-Agent Mozilla/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5362a Safari/604.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /app/sendgrid.py HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit/604. Requête brute (extrait) GET /app/sendgrid.py HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5362a Safari/604.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: cl Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "py", "http_ua_hash": "a66eebec745c873326bfb84c6d21f4ec9fe16522", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "a743b8206ca823c369ef5eb8bfeb21a48b56cf7e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 263, "payload_entropy": 5.386746385477947, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.2, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 61, "tag_count": 4, "anomaly_count": 0, "campaign_key": "b71a3640df738d3e2ffb392f73ae06414f4a9a0b", "event_fingerprint": "55eb9034dab8a7a70cee8d0e321c2557357d5260", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 61, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6a01aa0f8090c60b7b474dbbcfd3464a", "payload_hash": "cd7dc8891c8ab5bfd81c8f48eb695a14", "path_pattern_hash": "bbc1021582141e8e631079ccf6c69d4d" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 61 }, "payload_preview": "GET \/app\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit\/604.", "method": "GET", "path": "\/app\/sendgrid.py", "user_agent": "Mozilla\/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit\/604.1.38 (KHTML, like Gecko) Version\/11.0 Mobile\/15A5362a Safari\/604.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/app\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit\/604.1.38 (KHTML, like Gecko) Version\/11.0 Mobile\/15A5362a Safari\/604.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl", "payload_snippet": "GET \/app\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit\/604.", "evidence": { "method": "GET", "path": "\/app\/sendgrid.py", "user_agent": "Mozilla\/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit\/604.1.38 (KHTML, like Gecko) Version\/11.0 Mobile\/15A5362a Safari\/604.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/app\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit\/604.1.38 (KHTML, like Gecko) Version\/11.0 Mobile\/15A5362a Safari\/604.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl", "payload_snippet": "GET \/app\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit\/604.", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1ef80b2451b25b38740038e8ce2b269a9596756f", "protocol_details": { "http_method": "GET", "http_path": "\/app\/sendgrid.py", "request_line": "GET \/app\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit\/604.1.38 (KHTML, like Gecko) Version\/11.0 Mobile\/15A5362a Saf\u2026", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit\/604.", "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/sendgrid.py", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 61, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 61, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/app\/sendgrid.py", "request_line": "GET \/app\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit\/604.1.38 (KHTML, like Gecko) Version\/11.0 Mobile\/15A5362a Saf\u2026", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/sendgrid.py", "evidence_snippet": "GET \/app\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit\/604.", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:43 UTC	TCP	8220 · HTTP	http	Flood / DDoS http flood · via HTTP:8220 · (tentative d'exploit) · → /sendgrid.yml	Élevée	Moyen · 53
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid.yml UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /sendgrid.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 53 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid.yml HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid.yml HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like G Requête brute (extrait) GET /sendgrid.yml HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "d6787566c9a1cafa28d874bda0fffa94506c1664", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "fe30445de825aa0bffca483abd821a9f6a87533d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 237, "payload_entropy": 5.450377856576534, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 53, "tag_count": 3, "anomaly_count": 0, "campaign_key": "f39dd65a535047fd3b661597b27e5ec3d606ffba", "event_fingerprint": "ced4718469d16b9c9abf4a2db9f29cf734866307", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 53, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "8cc15569b1817c23edbd9dc00dd0cab9", "payload_hash": "24a048952f4ed73a1399b0c9547d3d54", "path_pattern_hash": "7777bc3cc4ee53dc76c001dce4e79fd5" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 53 }, "payload_preview": "GET \/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like G", "method": "GET", "path": "\/sendgrid.yml", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.110 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.yml HTTP\/1.1", "request_sample": "GET \/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.110 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like G", "evidence": { "method": "GET", "path": "\/sendgrid.yml", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.110 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.yml HTTP\/1.1", "request_sample": "GET \/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.110 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like G", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "934cc5659c108e525fec46a10eb694f828b4f23e", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.yml", "request_line": "GET \/sendgrid.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.110 Safari\/537.36", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like G", "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.yml", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 53, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 53, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.yml", "request_line": "GET \/sendgrid.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.110 Safari\/537.36", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.yml", "evidence_snippet": "GET \/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like G", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:43 UTC	TCP	8220 · HTTP	http	Flood / DDoS http flood · via HTTP:8220 · (tentative d'exploit) · → /sendgrid.config.json	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid.config.json UA CSSCheck/1.2.2 Émulateur HTTP WAF 0 Recommandation Investiguer Tags net_flood Cible HTTP GET /sendgrid.config.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /sendgrid.config.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 51 Confiance : Confiance 100 % — 1 signal(aux) capteur Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid.config.json HTTP/1.1` User-Agent CSSCheck/1.2.2 Règles WAF — Payload (extrait) GET /sendgrid.config.json HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: CSSCheck/1.2.2 Accept-Charset: utf-8 Accept-Encoding: g Requête brute (extrait) GET /sendgrid.config.json HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: CSSCheck/1.2.2 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "cb8594eccbdf56c7162c02a2893c5d365580e0fb", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "eeb189e33107611f717db38a6842e4ac40f53918", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 154, "payload_entropy": 5.047741289005093, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.1, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 51, "tag_count": 1, "anomaly_count": 0, "campaign_key": "700c1c1cddb89fc7f069ae015fc833e5d7eeef80", "event_fingerprint": "f34bd860e3cd5e061d0e60a99c7fe5e4b061f09c", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d6a74c534e4f9257281a7fcee14cd5e3", "payload_hash": "db4d2bf78007790099a591a8904deb60", "path_pattern_hash": "d03aef47d2b763bc56a13f3ba838e778" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 51 }, "payload_preview": "GET \/sendgrid.config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: CSSCheck\/1.2.2\r\nAccept-Charset: utf-8\r\nAccept-Encoding: g", "method": "GET", "path": "\/sendgrid.config.json", "user_agent": "CSSCheck\/1.2.2", "request_line": "GET \/sendgrid.config.json HTTP\/1.1", "request_sample": "GET \/sendgrid.config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: CSSCheck\/1.2.2\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: CSSCheck\/1.2.2\r\nAccept-Charset: utf-8\r\nAccept-Encoding: g", "evidence": { "method": "GET", "path": "\/sendgrid.config.json", "user_agent": "CSSCheck\/1.2.2", "request_line": "GET \/sendgrid.config.json HTTP\/1.1", "request_sample": "GET \/sendgrid.config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: CSSCheck\/1.2.2\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: CSSCheck\/1.2.2\r\nAccept-Charset: utf-8\r\nAccept-Encoding: g", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "02b87183e678bc1e502b01244696d56d8ce944c1", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.config.json", "request_line": "GET \/sendgrid.config.json HTTP\/1.1", "http_user_agent": "CSSCheck\/1.2.2", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid.config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: CSSCheck\/1.2.2\r\nAccept-Charset: utf-8\r\nAccept-Encoding: g", "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.config.json", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.config.json", "request_line": "GET \/sendgrid.config.json HTTP\/1.1", "http_user_agent": "CSSCheck\/1.2.2", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.config.json", "evidence_snippet": "GET \/sendgrid.config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: CSSCheck\/1.2.2\r\nAccept-Charset: utf-8\r\nAccept-Encoding: g", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:43 UTC	TCP	8220 · HTTP	http	Flood / DDoS http flood · via HTTP:8220 · (tentative d'exploit) · → /config/sendgrid.json	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /config/sendgrid.json UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/sendgrid.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /config/sendgrid.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/sendgrid.json HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3887.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/sendgrid.json HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537 Requête brute (extrait) GET /config/sendgrid.json HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3887.0 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "9c901fc90cec65e9c437a5c159b057ea26d0a3b2", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "6c93d1b9fbdf8e8d128caa00a09f6faf39a40791", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 253, "payload_entropy": 5.412090450548682, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 62, "tag_count": 5, "anomaly_count": 0, "campaign_key": "1b39a110037ca7732715af5c891f8bef8a3aa087", "event_fingerprint": "1e462267d42a83cde949c263e785ee1a8867f5d2", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6da193ba001c53441a3e1f1fa1205dc4", "payload_hash": "cc76c236d52a9165e021eb40bd6dde64", "path_pattern_hash": "b3c041376e66dccb94b76d7207504df9" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/config\/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "method": "GET", "path": "\/config\/sendgrid.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3887.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/sendgrid.json HTTP\/1.1", "request_sample": "GET \/config\/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3887.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "evidence": { "method": "GET", "path": "\/config\/sendgrid.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3887.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/sendgrid.json HTTP\/1.1", "request_sample": "GET \/config\/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3887.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "34f381c978495065042974771ce16873163929f3", "protocol_details": { "http_method": "GET", "http_path": "\/config\/sendgrid.json", "request_line": "GET \/config\/sendgrid.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3887.0 Safari\/537.36", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/sendgrid.json", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/sendgrid.json", "request_line": "GET \/config\/sendgrid.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3887.0 Safari\/537.36", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/sendgrid.json", "evidence_snippet": "GET \/config\/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:43 UTC	TCP	8220 · HTTP	http	Flood / DDoS http flood · via HTTP:8220 · (tentative d'exploit) · → /mailer/sendgrid.php	Élevée	Moyen · 61
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /mailer/sendgrid.php UA Mozilla/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWeb… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /mailer/sendgrid.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /mailer/sendgrid.php Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 61 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /mailer/sendgrid.php HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/76.0.3809.81 Mobile/15E148 Safari/605.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /mailer/sendgrid.php HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) App Requête brute (extrait) GET /mailer/sendgrid.php HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/76.0.3809.81 Mobile/15E148 Safari/605.1 Accept-Charset: utf-8 Accept-Encoding: gzi Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "2bfbe271706a862f6724b92d23435ed5f9e6cb45", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "dae727d8f431c63a4890b644ed3bde6b8b286d4f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 280, "payload_entropy": 5.4067925723362, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.2, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 61, "tag_count": 4, "anomaly_count": 0, "campaign_key": "b71a3640df738d3e2ffb392f73ae06414f4a9a0b", "event_fingerprint": "ab12fc4ad98a21496aafd9a473ff00163221ce5a", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 61, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "470d3fdd8e48dbfcf47545bf77c6e6cc", "payload_hash": "972929060991d41cf7652561d9fb7ac1", "path_pattern_hash": "efcedb7b18ae8ea8d96de301e7bc027e" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 61 }, "payload_preview": "GET \/mailer\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) App", "method": "GET", "path": "\/mailer\/sendgrid.php", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/mailer\/sendgrid.php HTTP\/1.1", "request_sample": "GET \/mailer\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzi", "payload_snippet": "GET \/mailer\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) App", "evidence": { "method": "GET", "path": "\/mailer\/sendgrid.php", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/mailer\/sendgrid.php HTTP\/1.1", "request_sample": "GET \/mailer\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzi", "payload_snippet": "GET \/mailer\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) App", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "133f1ae4810d9c6ad5bf047598947d542efbd1cc", "protocol_details": { "http_method": "GET", "http_path": "\/mailer\/sendgrid.php", "request_line": "GET \/mailer\/sendgrid.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobi\u2026", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/mailer\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) App", "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mailer\/sendgrid.php", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 61, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 61, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/mailer\/sendgrid.php", "request_line": "GET \/mailer\/sendgrid.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobi\u2026", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mailer\/sendgrid.php", "evidence_snippet": "GET \/mailer\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) App", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:43 UTC	TCP	8220 · HTTP	http	Flood / DDoS http flood · via HTTP:8220 · (tentative d'exploit) · → /config/sendgrid.yml	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /config/sendgrid.yml UA Mozilla/5.0 (Linux; Android 9; Pixel 3) AppleWebKit/537.36 (KHT… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/sendgrid.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /config/sendgrid.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/sendgrid.yml HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; Pixel 3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/sendgrid.yml HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Linux; Android 9; Pixel 3) AppleWebKit/537.36 Requête brute (extrait) GET /config/sendgrid.yml HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Linux; Android 9; Pixel 3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "yml", "http_ua_hash": "4f807cd830453e03eaa7bb8398f168ee663261b2", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "0bd9f817e7997b41e7d0b8b8dd114ee25267d094", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 259, "payload_entropy": 5.397770357886126, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 62, "tag_count": 5, "anomaly_count": 0, "campaign_key": "1b39a110037ca7732715af5c891f8bef8a3aa087", "event_fingerprint": "fe11a8bff21967316b2d0a0d54d02058b2b97889", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "3d46d65ae6e495fc85230f828e001267", "payload_hash": "c18c68b6916a753827eff84586ca8309", "path_pattern_hash": "b33a5d11f328bd7713feb258f3d7e0c0" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/config\/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3) AppleWebKit\/537.36", "method": "GET", "path": "\/config\/sendgrid.yml", "user_agent": "Mozilla\/5.0 (Linux; Android 9; Pixel 3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/sendgrid.yml HTTP\/1.1", "request_sample": "GET \/config\/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/config\/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/config\/sendgrid.yml", "user_agent": "Mozilla\/5.0 (Linux; Android 9; Pixel 3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/sendgrid.yml HTTP\/1.1", "request_sample": "GET \/config\/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/config\/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3) AppleWebKit\/537.36", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5c18c17a0a0d78d01b4f0f2f7f9c1f2283bb8fa1", "protocol_details": { "http_method": "GET", "http_path": "\/config\/sendgrid.yml", "request_line": "GET \/config\/sendgrid.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; Pixel 3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3) AppleWebKit\/537.36", "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/sendgrid.yml", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/sendgrid.yml", "request_line": "GET \/config\/sendgrid.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; Pixel 3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/sendgrid.yml", "evidence_snippet": "GET \/config\/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3) AppleWebKit\/537.36", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:43 UTC	TCP	8220 · HTTP	http	Flood / DDoS http flood · via HTTP:8220 · (tentative d'exploit) · → /sendgrid.json	Élevée	Moyen · 53
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid.json UA Mozilla/5.0 (X11; U; Linux i686; en-gb) AppleWebKit/534.35 (KHT… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /sendgrid.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 53 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid.json HTTP/1.1` User-Agent Mozilla/5.0 (X11; U; Linux i686; en-gb) AppleWebKit/534.35 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.35 Puffin/2.0.5603M Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid.json HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-gb) AppleWebKit/534.35 (KHTM Requête brute (extrait) GET /sendgrid.json HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-gb) AppleWebKit/534.35 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.35 Puffin/2.0.5603M Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clos Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "1d403745579fa3699d01a78424929aaa5c8780de", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "334746630c59d3caca795d70405b3b173f74a90b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 261, "payload_entropy": 5.41973135540008, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 53, "tag_count": 3, "anomaly_count": 0, "campaign_key": "f39dd65a535047fd3b661597b27e5ec3d606ffba", "event_fingerprint": "5c58b9daf9ef8c91f705db8e85168085648bdb27", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 53, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6f2590d9e4a37cc2c0b7f413d7d47030", "payload_hash": "1c99b2ed936c3bd41722e83b153843ab", "path_pattern_hash": "e6f5fbc298134f1524aeaece47705fce" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 53 }, "payload_preview": "GET \/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-gb) AppleWebKit\/534.35 (KHTM", "method": "GET", "path": "\/sendgrid.json", "user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-gb) AppleWebKit\/534.35 (KHTML, like Gecko) Chrome\/11.0.696.65 Safari\/534.35 Puffin\/2.0.5603M", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.json HTTP\/1.1", "request_sample": "GET \/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-gb) AppleWebKit\/534.35 (KHTML, like Gecko) Chrome\/11.0.696.65 Safari\/534.35 Puffin\/2.0.5603M\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-gb) AppleWebKit\/534.35 (KHTM", "evidence": { "method": "GET", "path": "\/sendgrid.json", "user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-gb) AppleWebKit\/534.35 (KHTML, like Gecko) Chrome\/11.0.696.65 Safari\/534.35 Puffin\/2.0.5603M", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.json HTTP\/1.1", "request_sample": "GET \/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-gb) AppleWebKit\/534.35 (KHTML, like Gecko) Chrome\/11.0.696.65 Safari\/534.35 Puffin\/2.0.5603M\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-gb) AppleWebKit\/534.35 (KHTM", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6b2ac957b417caa47624104e6fa6c3eccccfbdec", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.json", "request_line": "GET \/sendgrid.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-gb) AppleWebKit\/534.35 (KHTML, like Gecko) Chrome\/11.0.696.65 Safari\/534.35 Puffin\/\u2026", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-gb) AppleWebKit\/534.35 (KHTM", "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.json", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 53, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 53, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.json", "request_line": "GET \/sendgrid.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-gb) AppleWebKit\/534.35 (KHTML, like Gecko) Chrome\/11.0.696.65 Safari\/534.35 Puffin\/\u2026", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.json", "evidence_snippet": "GET \/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-gb) AppleWebKit\/534.35 (KHTM", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:43 UTC	TCP	8220 · HTTP	http	Flood / DDoS http flood · via HTTP:8220 · (tentative d'exploit) · → /sendgrid.yaml	Élevée	Moyen · 53
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid.yaml UA Mozilla/5.0 (Linux; Android 5.1; A1601) AppleWebKit/537.36 (KHT… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid.yaml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /sendgrid.yaml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 53 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid.yaml HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 5.1; A1601) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid.yaml HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Linux; Android 5.1; A1601) AppleWebKit/537.36 (KHTM Requête brute (extrait) GET /sendgrid.yaml HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Linux; Android 5.1; A1601) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yaml", "http_ua_hash": "81acb39d44f0a266ab1ef577349890d507edb650", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "6ddb9259a81c5943f174c8762a08f320950440bd", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 253, "payload_entropy": 5.398511286335679, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 53, "tag_count": 3, "anomaly_count": 0, "campaign_key": "f39dd65a535047fd3b661597b27e5ec3d606ffba", "event_fingerprint": "24db30dfe66dfbe8df3c0ca2319829164db9a415", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 53, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1779dfe6f34faf53f6e1200f3da51e00", "payload_hash": "aa48b5c457dc64501af519a082f43a99", "path_pattern_hash": "586d42da805584afffe4b06de4328fe7" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 53 }, "payload_preview": "GET \/sendgrid.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1; A1601) AppleWebKit\/537.36 (KHTM", "method": "GET", "path": "\/sendgrid.yaml", "user_agent": "Mozilla\/5.0 (Linux; Android 5.1; A1601) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.yaml HTTP\/1.1", "request_sample": "GET \/sendgrid.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1; A1601) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1; A1601) AppleWebKit\/537.36 (KHTM", "evidence": { "method": "GET", "path": "\/sendgrid.yaml", "user_agent": "Mozilla\/5.0 (Linux; Android 5.1; A1601) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.yaml HTTP\/1.1", "request_sample": "GET \/sendgrid.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1; A1601) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1; A1601) AppleWebKit\/537.36 (KHTM", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4c10bb33d112d51292bab90a33d9c0e95c4a2ed9", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.yaml", "request_line": "GET \/sendgrid.yaml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 5.1; A1601) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1; A1601) AppleWebKit\/537.36 (KHTM", "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.yaml", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 53, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 53, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.yaml", "request_line": "GET \/sendgrid.yaml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 5.1; A1601) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.yaml", "evidence_snippet": "GET \/sendgrid.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1; A1601) AppleWebKit\/537.36 (KHTM", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:43 UTC	TCP	8220 · HTTP	http	Flood / DDoS http flood · via HTTP:8220 · (tentative d'exploit) · → /sendgrid-config.json	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid-config.json UA Mozilla/4.0 (compatible; MSIE 5.15; Mac_PowerPC) Émulateur HTTP WAF 7 Recommandation Investiguer Tags 950326:rce-0 net_flood Cible HTTP GET /sendgrid-config.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /sendgrid-config.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 51 Confiance : Confiance 100 % — 1 tag(s) WAF Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid-config.json HTTP/1.1` User-Agent Mozilla/4.0 (compatible; MSIE 5.15; Mac_PowerPC) Règles WAF rce-0 Payload (extrait) GET /sendgrid-config.json HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/4.0 (compatible; MSIE 5.15; Mac_PowerPC) Accept- Requête brute (extrait) GET /sendgrid-config.json HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/4.0 (compatible; MSIE 5.15; Mac_PowerPC) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "01d7890e293e9cd9e592801f2ed9e6445531e536", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "7d5ebcf94187fd12c4375ea09c6c54bd408b8303", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 188, "payload_entropy": 5.283848309295312, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 36, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.5, "risk_breakdown": { "waf": 36, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 51, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c67382ec323abd652b608d68bc34e8a5b19f5427", "event_fingerprint": "3eb25865832329f2581cea50db4cbdd246b76b36", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "confidence_breakdown": { "waf": 36, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "551dfe724be0545a21acf596f41ebf4f", "payload_hash": "a73a8112a788ef202f74f187e222d5c4", "path_pattern_hash": "170a7f6ff312a524729718105c471f02" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 51 }, "payload_preview": "GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.15; Mac_PowerPC)\r\nAccept-", "method": "GET", "path": "\/sendgrid-config.json", "user_agent": "Mozilla\/4.0 (compatible; MSIE 5.15; Mac_PowerPC)", "waf_tags": [ "950326:rce-0" ], "waf_rule_names": [ "rce-0" ], "request_line": "GET \/sendgrid-config.json HTTP\/1.1", "request_sample": "GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.15; Mac_PowerPC)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.15; Mac_PowerPC)\r\nAccept-", "evidence": { "method": "GET", "path": "\/sendgrid-config.json", "user_agent": "Mozilla\/4.0 (compatible; MSIE 5.15; Mac_PowerPC)", "waf_tags": [ "950326:rce-0" ], "waf_rule_names": [ "rce-0" ], "request_line": "GET \/sendgrid-config.json HTTP\/1.1", "request_sample": "GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.15; Mac_PowerPC)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.15; Mac_PowerPC)\r\nAccept-", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5a3660c2e2aa8b26124a48af1a2326d9c61efd9f", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid-config.json", "request_line": "GET \/sendgrid-config.json HTTP\/1.1", "http_user_agent": "Mozilla\/4.0 (compatible; MSIE 5.15; Mac_PowerPC)", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.15; Mac_PowerPC)\r\nAccept-", "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid-config.json", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 36, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid-config.json", "request_line": "GET \/sendgrid-config.json HTTP\/1.1", "http_user_agent": "Mozilla\/4.0 (compatible; MSIE 5.15; Mac_PowerPC)", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid-config.json", "evidence_snippet": "GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.15; Mac_PowerPC)\r\nAccept-", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 36 \u00b7 Bonus corr\u00e9lation +8 \u00b7 1 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:43 UTC	TCP	8220 · HTTP	http	Flood / DDoS http flood · via HTTP:8220 · (tentative d'exploit) · → /sendgrid.php	Élevée	Moyen · 53
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid.php UA Mozilla/5.0 (Linux; Android 9; SM-G9600) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /sendgrid.php Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 53 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid.php HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; SM-G9600) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid.php HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G9600) AppleWebKit/537.36 (KHTM Requête brute (extrait) GET /sendgrid.php HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G9600) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "php", "http_ua_hash": "892299fb0f91a44e8f705a66e58e23d9efb78e6d", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "aeebeac9e1ed0166b8b2a8b12207a52ac16be70d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 252, "payload_entropy": 5.408072440457344, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 53, "tag_count": 3, "anomaly_count": 0, "campaign_key": "f39dd65a535047fd3b661597b27e5ec3d606ffba", "event_fingerprint": "c20d223e79c15bb980b4f685eebf60de47701292", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 53, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "4a88c86b2b9f00c03377505a4644b8b9", "payload_hash": "ea07ce122049082bb2c377c89ded2e47", "path_pattern_hash": "1c628b1c6b42ab40202a01c40f9a976e" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 53 }, "payload_preview": "GET \/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G9600) AppleWebKit\/537.36 (KHTM", "method": "GET", "path": "\/sendgrid.php", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G9600) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.php HTTP\/1.1", "request_sample": "GET \/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G9600) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G9600) AppleWebKit\/537.36 (KHTM", "evidence": { "method": "GET", "path": "\/sendgrid.php", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G9600) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.php HTTP\/1.1", "request_sample": "GET \/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G9600) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G9600) AppleWebKit\/537.36 (KHTM", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6c966d8a2ff447095e4629dce2599467dd73039b", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.php", "request_line": "GET \/sendgrid.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G9600) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G9600) AppleWebKit\/537.36 (KHTM", "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.php", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 53, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 53, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.php", "request_line": "GET \/sendgrid.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G9600) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.php", "evidence_snippet": "GET \/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G9600) AppleWebKit\/537.36 (KHTM", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:43 UTC	TCP	8220 · HTTP	http	Flood / DDoS http flood · via HTTP:8220 · (tentative d'exploit) · → /config/sendgrid.php	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /config/sendgrid.php UA Mozilla/5.0 (Linux; Android 7.1.1; Z971) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/sendgrid.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /config/sendgrid.php Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/sendgrid.php HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 7.1.1; Z971) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/sendgrid.php HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Linux; Android 7.1.1; Z971) AppleWebKit/537.3 Requête brute (extrait) GET /config/sendgrid.php HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Linux; Android 7.1.1; Z971) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "2dcea51c51605b52513468f8d724028656e81842", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "5a7c4db4e49228f435e7f3ef670fd7a77af86fbd", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 259, "payload_entropy": 5.403000574509271, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 62, "tag_count": 5, "anomaly_count": 0, "campaign_key": "1b39a110037ca7732715af5c891f8bef8a3aa087", "event_fingerprint": "546bc307cb3ad869622894d5c776825dce71d812", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "bf5f7065b1fac22237fb56c0ef05dfb0", "payload_hash": "3a62c1b4cdaca690cff98a32e9c238cc", "path_pattern_hash": "c0ea70e9176b91c1342a31c50481c975" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/config\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; Z971) AppleWebKit\/537.3", "method": "GET", "path": "\/config\/sendgrid.php", "user_agent": "Mozilla\/5.0 (Linux; Android 7.1.1; Z971) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/sendgrid.php HTTP\/1.1", "request_sample": "GET \/config\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; Z971) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/config\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; Z971) AppleWebKit\/537.3", "evidence": { "method": "GET", "path": "\/config\/sendgrid.php", "user_agent": "Mozilla\/5.0 (Linux; Android 7.1.1; Z971) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/sendgrid.php HTTP\/1.1", "request_sample": "GET \/config\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; Z971) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/config\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; Z971) AppleWebKit\/537.3", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1d7bb119fd029e404e92cb842aa22be6e5c3fdbc", "protocol_details": { "http_method": "GET", "http_path": "\/config\/sendgrid.php", "request_line": "GET \/config\/sendgrid.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.1.1; Z971) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; Z971) AppleWebKit\/537.3", "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/sendgrid.php", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/sendgrid.php", "request_line": "GET \/config\/sendgrid.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.1.1; Z971) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/sendgrid.php", "evidence_snippet": "GET \/config\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; Z971) AppleWebKit\/537.3", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:42 UTC	TCP	8220 · HTTP	http	Flood / DDoS http flood · via HTTP:8220 · (tentative d'exploit) · → /config/settings.php	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /config/settings.php UA Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit/534.46… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/settings.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /config/settings.php Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred Settings PHP Ligne de requête `GET /config/settings.php HTTP/1.1` User-Agent Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko ) Version/5.1 Mobile/9B176 Safari/7534.48.3 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/settings.php HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit/5 Requête brute (extrait) GET /config/settings.php HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko ) Version/5.1 Mobile/9B176 Safari/7534.48.3 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "49a3c433839e99ca73cde060e9a5bbb5da5b350e", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "418a5f6a5e1110ffbd155bc9313c50008e60f423", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 265, "payload_entropy": 5.411274484063458, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 62, "tag_count": 5, "anomaly_count": 0, "campaign_key": "1b39a110037ca7732715af5c891f8bef8a3aa087", "event_fingerprint": "fa3e3592980c05bd56fd7ce8e6201c7078b8f39c", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0500" ], "matched_pattern_names": [ "Cred Settings PHP" ], "pattern_ids": [ "pat-0500" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "03953cb585931e8e19ceb68996929195", "payload_hash": "e032ca7c30db60f43927ac49c2373b1b", "path_pattern_hash": "b9b36a42819ef11fa7d42979d581f393" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/config\/settings.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit\/5", "method": "GET", "path": "\/config\/settings.php", "user_agent": "Mozilla\/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit\/534.46 (KHTML, like Gecko ) Version\/5.1 Mobile\/9B176 Safari\/7534.48.3", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/settings.php HTTP\/1.1", "request_sample": "GET \/config\/settings.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit\/534.46 (KHTML, like Gecko ) Version\/5.1 Mobile\/9B176 Safari\/7534.48.3\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: ", "payload_snippet": "GET \/config\/settings.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit\/5", "evidence": { "method": "GET", "path": "\/config\/settings.php", "user_agent": "Mozilla\/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit\/534.46 (KHTML, like Gecko ) Version\/5.1 Mobile\/9B176 Safari\/7534.48.3", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/settings.php HTTP\/1.1", "request_sample": "GET \/config\/settings.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit\/534.46 (KHTML, like Gecko ) Version\/5.1 Mobile\/9B176 Safari\/7534.48.3\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: ", "payload_snippet": "GET \/config\/settings.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit\/5", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "43347a578fcfde3adf32ae2815a1c31d54653009", "protocol_details": { "http_method": "GET", "http_path": "\/config\/settings.php", "request_line": "GET \/config\/settings.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit\/534.46 (KHTML, like Gecko ) Version\/5.1 Mobile\/9B176 Safari\/75\u2026", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/settings.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit\/5", "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/settings.php", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/settings.php", "request_line": "GET \/config\/settings.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit\/534.46 (KHTML, like Gecko ) Version\/5.1 Mobile\/9B176 Safari\/75\u2026", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/settings.php", "evidence_snippet": "GET \/config\/settings.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit\/5", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:42 UTC	TCP	8220 · HTTP	http	Flood / DDoS http flood · via HTTP:8220 · (tentative d'exploit) · → /server/appsettings.json	Élevée	Moyen · 61
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /server/appsettings.json UA Mozilla/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X) AppleWeb… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /server/appsettings.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /server/appsettings.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 61 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred ASP.NET settings Ligne de requête `GET /server/appsettings.json HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A346 Safari/602.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /server/appsettings.json HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X) Requête brute (extrait) GET /server/appsettings.json HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A346 Safari/602.1 Accept-Charset: utf-8 Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "8bdd51946a43293fbf9e2d2927f2bf22d3fe1c14", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "c7b54c7590a4c4182f88d140c445e8a96b77c466", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 278, "payload_entropy": 5.344900036703105, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.2, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 61, "tag_count": 4, "anomaly_count": 0, "campaign_key": "eaf6f0840ff9fe0b228515b857cf6831e68d7119", "event_fingerprint": "0edaa9ff5330cf08b6cf43ecd30cb1f6878bc339", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0466" ], "matched_pattern_names": [ "Cred ASP.NET settings" ], "pattern_ids": [ "pat-0466" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 61, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "a15647e627b64dcad9c8f35ee8e9e677", "payload_hash": "e6568b09641e460e890a1993583e5e7d", "path_pattern_hash": "c34b3864659f22d384f06d606e8053e9" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 61 }, "payload_preview": "GET \/server\/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X)", "method": "GET", "path": "\/server\/appsettings.json", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X) AppleWebKit\/602.1.50 (KHTML, like Gecko) Version\/10.0 Mobile\/14A346 Safari\/602.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/server\/appsettings.json HTTP\/1.1", "request_sample": "GET \/server\/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X) AppleWebKit\/602.1.50 (KHTML, like Gecko) Version\/10.0 Mobile\/14A346 Safari\/602.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r", "payload_snippet": "GET \/server\/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X)", "evidence": { "method": "GET", "path": "\/server\/appsettings.json", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X) AppleWebKit\/602.1.50 (KHTML, like Gecko) Version\/10.0 Mobile\/14A346 Safari\/602.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/server\/appsettings.json HTTP\/1.1", "request_sample": "GET \/server\/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X) AppleWebKit\/602.1.50 (KHTML, like Gecko) Version\/10.0 Mobile\/14A346 Safari\/602.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r", "payload_snippet": "GET \/server\/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X)", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5af3b61e596db9f42536b8728fb0f4fb8d698724", "protocol_details": { "http_method": "GET", "http_path": "\/server\/appsettings.json", "request_line": "GET \/server\/appsettings.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X) AppleWebKit\/602.1.50 (KHTML, like Gecko) Version\/10.0 Mobile\/14A\u2026", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/server\/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X)", "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server\/appsettings.json", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 61, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 61, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/server\/appsettings.json", "request_line": "GET \/server\/appsettings.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X) AppleWebKit\/602.1.50 (KHTML, like Gecko) Version\/10.0 Mobile\/14A\u2026", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server\/appsettings.json", "evidence_snippet": "GET \/server\/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X)", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:42 UTC	TCP	8220 · HTTP	http	Sonde fichier credential / clé credential file probe · via HTTP:8220 · (tentative d'exploit) · → /private/credentials.json	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET /private/credentials.json UA Mozilla/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit/537.36… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_private Cible HTTP GET /private/credentials.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /private/credentials.json Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier credential/clé · Règle WAF « rce-0 » · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux pat-0472 Upstream Waf Score Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred Credentials JSON Ligne de requête `GET /private/credentials.json HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /private/credentials.json HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Linux; Android 9; Redmi Note 7) AppleWeb Requête brute (extrait) GET /private/credentials.json HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connectio Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "fae00653dfac480b42f044c98783176983f00bea", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "f5b98432b4ea101afd265888d823143de70b6fa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 268, "payload_entropy": 5.393949830138043, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 84, "risk_classification": 82, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 62, "tag_count": 5, "anomaly_count": 0, "campaign_key": "e66b4b94a31b4d135de731fc18fdb6a9d980231e", "event_fingerprint": "2d5079bb123b4df25148426c9fa9c1df66c94111", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0472", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "pat-0472", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0472" ], "matched_pattern_names": [ "Cred Credentials JSON" ], "pattern_ids": [ "pat-0472" ], "confidence_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "lfi_attack", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "a3a72b638cf0154db604cf829203ccf8", "payload_hash": "a2556baea9ed1d494eb769ce62a28d76", "path_pattern_hash": "b18c0d27f50ba8fd3156a9c7a907fc4a" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/private\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 7) AppleWeb", "method": "GET", "path": "\/private\/credentials.json", "user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/private\/credentials.json HTTP\/1.1", "request_sample": "GET \/private\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnectio", "payload_snippet": "GET \/private\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 7) AppleWeb", "evidence": { "method": "GET", "path": "\/private\/credentials.json", "user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/private\/credentials.json HTTP\/1.1", "request_sample": "GET \/private\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnectio", "payload_snippet": "GET \/private\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 7) AppleWeb", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e9648789405ea15364cff766ac5e817065968472", "protocol_details": { "http_method": "GET", "http_path": "\/private\/credentials.json", "request_line": "GET \/private\/credentials.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/5\u2026", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/private\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 7) AppleWeb", "attack_vector": "credential file probe \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/private\/credentials.json", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "pat-0472", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "pat-0472", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/private\/credentials.json", "request_line": "GET \/private\/credentials.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/5\u2026", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "credential file probe \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/private\/credentials.json", "evidence_snippet": "GET \/private\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 7) AppleWeb", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_private", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:42 UTC	TCP	8220 · HTTP	http	Flood / DDoS http flood · via HTTP:8220 · (tentative d'exploit) · → /config/services.php	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /config/services.php UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/services.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /config/services.php Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/services.php HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.80 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/services.php HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537. Requête brute (extrait) GET /config/services.php HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.80 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "e8761e5ab07187c141f9877d6cb4b8b4d14d31f3", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "3ca2bec84ec8ba69efd80baa52ae496391a16c98", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 253, "payload_entropy": 5.412246488626829, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 62, "tag_count": 5, "anomaly_count": 0, "campaign_key": "1b39a110037ca7732715af5c891f8bef8a3aa087", "event_fingerprint": "b2a6ba104dd23ae5fbca7de034e304beea511a85", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f3c67377bb4f9116a6a27a941a7e5016", "payload_hash": "7a8c74221cf56309a555b99ab91745d0", "path_pattern_hash": "1a4e64bcf01550beeb5ff11653df0118" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/config\/services.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.", "method": "GET", "path": "\/config\/services.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.80 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/services.php HTTP\/1.1", "request_sample": "GET \/config\/services.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.80 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/services.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.", "evidence": { "method": "GET", "path": "\/config\/services.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.80 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/services.php HTTP\/1.1", "request_sample": "GET \/config\/services.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.80 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/services.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "36dfe0f1b60b17519bc62f3575ef34f3212aed57", "protocol_details": { "http_method": "GET", "http_path": "\/config\/services.php", "request_line": "GET \/config\/services.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.80 Safari\/537.36", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/services.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.", "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/services.php", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/services.php", "request_line": "GET \/config\/services.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.80 Safari\/537.36", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/services.php", "evidence_snippet": "GET \/config\/services.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:42 UTC	TCP	8220 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8220 · (tentative d'exploit) · → /config/config.json	Élevée	Moyen · 61
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /config/config.json UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/config.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /config/config.json Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 61 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/config.json HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.87 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/config.json HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit Requête brute (extrait) GET /config/config.json HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.87 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "0267e5a445e2c25d72a7f2ee2d0cac878c3747c6", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "de9396c02d7e95e2bf1af9f60ce296f0b321d0a5", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 258, "payload_entropy": 5.411719577238403, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 84, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.9, "risk_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 61, "tag_count": 6, "anomaly_count": 0, "campaign_key": "811c2d02c1e6217f10261892bc7356c0a989b77f", "event_fingerprint": "4b53eaddf17513971ef01537527fb098e4a7832a", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 61, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "364a2082aefdab822ac47f5798189768", "payload_hash": "5dcaad3c207187a20d9d988eac83bf04", "path_pattern_hash": "3d1d3f9c6b53a14673a3554e1b4c6dd0" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 61 }, "payload_preview": "GET \/config\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit", "method": "GET", "path": "\/config\/config.json", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/config.json HTTP\/1.1", "request_sample": "GET \/config\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/config\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit", "evidence": { "method": "GET", "path": "\/config\/config.json", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/config.json HTTP\/1.1", "request_sample": "GET \/config\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/config\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a539708fc0184259edd5076ef6a6304380f9eeaf", "protocol_details": { "http_method": "GET", "http_path": "\/config\/config.json", "request_line": "GET \/config\/config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit", "attack_vector": "config file probe \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/config.json", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 61, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 61, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/config.json", "request_line": "GET \/config\/config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/config.json", "evidence_snippet": "GET \/config\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:42 UTC	TCP	8220 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8220 · (tentative d'exploit) · → /wp-config.php.old	Élevée	Élevé · 67
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /wp-config.php.old UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537… Émulateur HTTP WAF 29 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950518:leak-5 950521:leak-8 Cible HTTP GET /wp-config.php.old TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /wp-config.php.old Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 67 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0195 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 933111 Probe /wp-config.php Ligne de requête `GET /wp-config.php.old HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-5 leak-8 Payload (extrait) GET /wp-config.php.old HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/ Requête brute (extrait) GET /wp-config.php.old HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "old", "http_ua_hash": "8108bc093c2ccf261027db837a9947d64ffb6f22", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "24c516a67db44cfad409a699aaddb7e13edd5983", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 257, "payload_entropy": 5.4031322458058275, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.6, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 67, "tag_count": 8, "anomaly_count": 0, "campaign_key": "f651c6801340cd34f48532fe41d6e6caa16a160b", "event_fingerprint": "5e14302dbd8469481071aaac7d115d656f35551e", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0195", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0195", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0160", "pat-0195" ], "matched_pattern_names": [ "CRS 933111", "Probe \/wp-config.php" ], "pattern_ids": [ "pat-0160", "pat-0195" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 67, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "bc75c605d3c4eed5ee6574f6bd67b32c", "payload_hash": "e66777aa51f878d50deb00da85079aac", "path_pattern_hash": "5fcd528564d98f34a98115294a2df668" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 67 }, "payload_preview": "GET \/wp-config.php.old HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit\/", "method": "GET", "path": "\/wp-config.php.old", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/60.0.3112.90 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-5", "leak-8" ], "request_line": "GET \/wp-config.php.old HTTP\/1.1", "request_sample": "GET \/wp-config.php.old HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/60.0.3112.90 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/wp-config.php.old HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit\/", "evidence": { "method": "GET", "path": "\/wp-config.php.old", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/60.0.3112.90 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-5", "leak-8" ], "request_line": "GET \/wp-config.php.old HTTP\/1.1", "request_sample": "GET \/wp-config.php.old HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/60.0.3112.90 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/wp-config.php.old HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit\/", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7374af8e8b3e0e0b34df04ff532518b07bea29ca", "protocol_details": { "http_method": "GET", "http_path": "\/wp-config.php.old", "request_line": "GET \/wp-config.php.old HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/60.0.3112.90 Safari\/537.36", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/wp-config.php.old HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit\/", "attack_vector": "config file probe \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wp-config.php.old", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 67, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 67, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0195", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0195", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/wp-config.php.old", "request_line": "GET \/wp-config.php.old HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/60.0.3112.90 Safari\/537.36", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wp-config.php.old", "evidence_snippet": "GET \/wp-config.php.old HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit\/", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5", "950521:leak-8", "http_backup_file_scan", "http_backup_path", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:42 UTC	TCP	8220 · HTTP	http	Flood / DDoS http flood · via HTTP:8220 · (tentative d'exploit) · → /config/mail.php	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /config/mail.php UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6; rv:57.0) Gecko/… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/mail.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /config/mail.php Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/mail.php HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6; rv:57.0) Gecko/20100101 Firefox/57.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/mail.php HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6; rv:57.0) Gecko Requête brute (extrait) GET /config/mail.php HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6; rv:57.0) Gecko/20100101 Firefox/57.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "d2ce1b86f7c2e75d699f51384a71d8544eaa0936", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "a3c407d6a87f65745e0ab4f00693213892a25d7c", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 219, "payload_entropy": 5.313148005226299, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 62, "tag_count": 5, "anomaly_count": 0, "campaign_key": "1b39a110037ca7732715af5c891f8bef8a3aa087", "event_fingerprint": "60d20a33cdfef68f7b5891b9fe2783d686e5d384", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b86ad045d44af83b6be19bb1e7356f7f", "payload_hash": "7cf28b8f908e40a76f7bf677f169136c", "path_pattern_hash": "9f9ddcc3b2a6db2bc31eefdcce505d28" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/config\/mail.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6; rv:57.0) Gecko", "method": "GET", "path": "\/config\/mail.php", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6; rv:57.0) Gecko\/20100101 Firefox\/57.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/mail.php HTTP\/1.1", "request_sample": "GET \/config\/mail.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6; rv:57.0) Gecko\/20100101 Firefox\/57.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/mail.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6; rv:57.0) Gecko", "evidence": { "method": "GET", "path": "\/config\/mail.php", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6; rv:57.0) Gecko\/20100101 Firefox\/57.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/mail.php HTTP\/1.1", "request_sample": "GET \/config\/mail.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6; rv:57.0) Gecko\/20100101 Firefox\/57.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/mail.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6; rv:57.0) Gecko", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "692e20b622520846733b392dedccf77478792201", "protocol_details": { "http_method": "GET", "http_path": "\/config\/mail.php", "request_line": "GET \/config\/mail.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6; rv:57.0) Gecko\/20100101 Firefox\/57.0", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/mail.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6; rv:57.0) Gecko", "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/mail.php", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/mail.php", "request_line": "GET \/config\/mail.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6; rv:57.0) Gecko\/20100101 Firefox\/57.0", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/mail.php", "evidence_snippet": "GET \/config\/mail.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6; rv:57.0) Gecko", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:42 UTC	TCP	8220 · HTTP	http	Flood / DDoS http flood · via HTTP:8220 · (tentative d'exploit) · → /config/database.php	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /config/database.php UA Mozilla/5.0 (Windows Phone 8.1; ARM; Trident/7.0; Touch; rv:11.… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/database.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /config/database.php Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/database.php HTTP/1.1` User-Agent Mozilla/5.0 (Windows Phone 8.1; ARM; Trident/7.0; Touch; rv:11.0; IEMobile/11.0; NOKIA; Lumia 530) like Gecko Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/database.php HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Windows Phone 8.1; ARM; Trident/7.0; Touch; r Requête brute (extrait) GET /config/database.php HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Windows Phone 8.1; ARM; Trident/7.0; Touch; rv:11.0; IEMobile/11.0; NOKIA; Lumia 530) like Gecko Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "253c736ddac82508286dee2924e7dcd234fd2086", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "e700e04925bb0dece8be41de92b622f2cd49e098", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 248, "payload_entropy": 5.3559043922383305, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 62, "tag_count": 5, "anomaly_count": 0, "campaign_key": "1b39a110037ca7732715af5c891f8bef8a3aa087", "event_fingerprint": "af47d18d38a61dc87295781908c022ac15986ece", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "2c9fedcc266aef2717fb1b3d1ba14f86", "payload_hash": "0810561b46ae9de4d3b531533a00730f", "path_pattern_hash": "a199a05002f19c0fd144e669de1d6b8d" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows Phone 8.1; ARM; Trident\/7.0; Touch; r", "method": "GET", "path": "\/config\/database.php", "user_agent": "Mozilla\/5.0 (Windows Phone 8.1; ARM; Trident\/7.0; Touch; rv:11.0; IEMobile\/11.0; NOKIA; Lumia 530) like Gecko", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/database.php HTTP\/1.1", "request_sample": "GET \/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows Phone 8.1; ARM; Trident\/7.0; Touch; rv:11.0; IEMobile\/11.0; NOKIA; Lumia 530) like Gecko\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows Phone 8.1; ARM; Trident\/7.0; Touch; r", "evidence": { "method": "GET", "path": "\/config\/database.php", "user_agent": "Mozilla\/5.0 (Windows Phone 8.1; ARM; Trident\/7.0; Touch; rv:11.0; IEMobile\/11.0; NOKIA; Lumia 530) like Gecko", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/database.php HTTP\/1.1", "request_sample": "GET \/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows Phone 8.1; ARM; Trident\/7.0; Touch; rv:11.0; IEMobile\/11.0; NOKIA; Lumia 530) like Gecko\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows Phone 8.1; ARM; Trident\/7.0; Touch; r", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f6110b5dec98b8e850281e11f9e7b3b4d6ff2f2e", "protocol_details": { "http_method": "GET", "http_path": "\/config\/database.php", "request_line": "GET \/config\/database.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows Phone 8.1; ARM; Trident\/7.0; Touch; rv:11.0; IEMobile\/11.0; NOKIA; Lumia 530) like Gecko", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows Phone 8.1; ARM; Trident\/7.0; Touch; r", "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/database.php", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/database.php", "request_line": "GET \/config\/database.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows Phone 8.1; ARM; Trident\/7.0; Touch; rv:11.0; IEMobile\/11.0; NOKIA; Lumia 530) like Gecko", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/database.php", "evidence_snippet": "GET \/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows Phone 8.1; ARM; Trident\/7.0; Touch; r", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:42 UTC	TCP	8220 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8220 · (tentative d'exploit) · → /application/config/config.php	Élevée	Moyen · 60
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /application/config/config.php UA Mozilla/5.0 (X11; Linux i686 (x86_64)) AppleWebKit/537.36 (KHTM… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_sensitive_path Cible HTTP GET /application/config/config.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /application/config/config.php Service HTTP Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 60 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Generic config.php Ligne de requête `GET /application/config/config.php HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux i686 (x86_64)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /application/config/config.php HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (X11; Linux i686 (x86_64)) AppleWebK Requête brute (extrait) GET /application/config/config.php HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (X11; Linux i686 (x86_64)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clos Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "php", "http_ua_hash": "dbc300a2fdbce9356ecb24ee11e2ee1d42c7eee0", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "ab5bb68257f1fdd1dfa4915fa7104485b044a078", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 261, "payload_entropy": 5.401209039141535, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 84, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 60, "tag_count": 5, "anomaly_count": 0, "campaign_key": "4a2895560ff2351445c67cf08dcc35a7389a704a", "event_fingerprint": "f57bd4dc7f193018c417e8751090de4483e054c6", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0118" ], "matched_pattern_names": [ "LFI Generic config.php" ], "pattern_ids": [ "pat-0118" ], "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 60, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f87bfe70fdc910a1c65033b3ad50ee97", "payload_hash": "65b0a0b17e7ceaa500852f08702fb18b", "path_pattern_hash": "b6440fe574333494578eac2496976a1d" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 60 }, "payload_preview": "GET \/application\/config\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686 (x86_64)) AppleWebK", "method": "GET", "path": "\/application\/config\/config.php", "user_agent": "Mozilla\/5.0 (X11; Linux i686 (x86_64)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/44.0.2403.130 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/application\/config\/config.php HTTP\/1.1", "request_sample": "GET \/application\/config\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686 (x86_64)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/44.0.2403.130 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/application\/config\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686 (x86_64)) AppleWebK", "evidence": { "method": "GET", "path": "\/application\/config\/config.php", "user_agent": "Mozilla\/5.0 (X11; Linux i686 (x86_64)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/44.0.2403.130 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/application\/config\/config.php HTTP\/1.1", "request_sample": "GET \/application\/config\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686 (x86_64)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/44.0.2403.130 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/application\/config\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686 (x86_64)) AppleWebK", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d1f42ca66de20d810e14926b7f5c3052b5d1ed62", "protocol_details": { "http_method": "GET", "http_path": "\/application\/config\/config.php", "request_line": "GET \/application\/config\/config.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux i686 (x86_64)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/44.0.2403.130 Safari\/537.36", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/application\/config\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686 (x86_64)) AppleWebK", "attack_vector": "config file probe \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/application\/config\/config.php", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 60, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 60, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/application\/config\/config.php", "request_line": "GET \/application\/config\/config.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux i686 (x86_64)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/44.0.2403.130 Safari\/537.36", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/application\/config\/config.php", "evidence_snippet": "GET \/application\/config\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686 (x86_64)) AppleWebK", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:42 UTC	TCP	8220 · HTTP	http	Sonde fichier credential / clé credential file probe · via HTTP:8220 · (tentative d'exploit) · → /services/secrets.json	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET /services/secrets.json UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_k8s_probe Cible HTTP GET /services/secrets.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /services/secrets.json Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier credential/clé · Règle WAF « rce-0 » · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux pat-0496 Upstream Waf Score Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred Secrets JSON file Ligne de requête `GET /services/secrets.json HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /services/secrets.json HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTM Requête brute (extrait) GET /services/secrets.json HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "fe5348c952496ea94a2d1f8b6189bd9b3c4c128d", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "e5f28d9dabe348c75152a0d03b8af3948967c412", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 246, "payload_entropy": 5.401291519991385, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 84, "risk_classification": 82, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 62, "tag_count": 5, "anomaly_count": 0, "campaign_key": "efed357abc74055a20e63a2947e8aaf5e00a2a20", "event_fingerprint": "86c55ca30be4074cb94cbedc2d59896f1c39c27b", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0496", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "pat-0496", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0496" ], "matched_pattern_names": [ "Cred Secrets JSON file" ], "pattern_ids": [ "pat-0496" ], "confidence_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "lfi_attack", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e3d6073ea4874db379c214e33553846a", "payload_hash": "6a287baf173feb55af5c3785db8af8ed", "path_pattern_hash": "e5ca14018f208a625d89b1bb0ac742c9" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/services\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTM", "method": "GET", "path": "\/services\/secrets.json", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/services\/secrets.json HTTP\/1.1", "request_sample": "GET \/services\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/services\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTM", "evidence": { "method": "GET", "path": "\/services\/secrets.json", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/services\/secrets.json HTTP\/1.1", "request_sample": "GET \/services\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/services\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTM", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "98b3176935626f2d29aa2b91f83d4b4101ff559e", "protocol_details": { "http_method": "GET", "http_path": "\/services\/secrets.json", "request_line": "GET \/services\/secrets.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/services\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTM", "attack_vector": "credential file probe \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/services\/secrets.json", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "pat-0496", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "pat-0496", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/services\/secrets.json", "request_line": "GET \/services\/secrets.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "credential file probe \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/services\/secrets.json", "evidence_snippet": "GET \/services\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTM", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_k8s_probe", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:42 UTC	TCP	8220 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8220 · (tentative d'exploit) · → /v1/config.json	Élevée	Moyen · 53
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /v1/config.json UA SearchExpress Émulateur HTTP WAF 14 Recommandation Investiguer Tags 950316:lfi-14 950468:nosqli-3 http_sensitive_path net_flood Cible HTTP GET /v1/config.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /v1/config.json Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 53 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /v1/config.json HTTP/1.1` User-Agent SearchExpress Règles WAF lfi-14 nosqli-3 Payload (extrait) GET /v1/config.json HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: SearchExpress Accept-Charset: utf-8 Accept-Encoding: gzip Co Requête brute (extrait) GET /v1/config.json HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: SearchExpress Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "0f34e46ee455e3902ab13bd0e9ef41f45fdb19f3", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "e1865ad3140924e10c86b3b0491226fecbd86d31", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.067895577854807, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 64, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.2, "risk_breakdown": { "waf": 64, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 53, "tag_count": 4, "anomaly_count": 0, "campaign_key": "fe4c9e08912e123e63787aa96fe1d94396b60e00", "event_fingerprint": "c40eb158ab50c48cc3f2de08a5bcbf40ce51135d", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 64, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 53, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "079271c120bdf55f3ee944ef880898e1", "payload_hash": "7cb14bd7925ca8a7f18ec9257396c623", "path_pattern_hash": "4172adffd8adf564d7794f5ddcfe5fac" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 53 }, "payload_preview": "GET \/v1\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: SearchExpress\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCo", "method": "GET", "path": "\/v1\/config.json", "user_agent": "SearchExpress", "waf_tags": [ "950316:lfi-14", "950468:nosqli-3" ], "waf_rule_names": [ "lfi-14", "nosqli-3" ], "request_line": "GET \/v1\/config.json HTTP\/1.1", "request_sample": "GET \/v1\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: SearchExpress\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/v1\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: SearchExpress\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCo", "evidence": { "method": "GET", "path": "\/v1\/config.json", "user_agent": "SearchExpress", "waf_tags": [ "950316:lfi-14", "950468:nosqli-3" ], "waf_rule_names": [ "lfi-14", "nosqli-3" ], "request_line": "GET \/v1\/config.json HTTP\/1.1", "request_sample": "GET \/v1\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: SearchExpress\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/v1\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: SearchExpress\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCo", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f3c2408e9ef929ebc80deaec02a644785d92b105", "protocol_details": { "http_method": "GET", "http_path": "\/v1\/config.json", "request_line": "GET \/v1\/config.json HTTP\/1.1", "http_user_agent": "SearchExpress", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/v1\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: SearchExpress\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCo", "attack_vector": "config file probe \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v1\/config.json", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 64, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 53, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 53, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/v1\/config.json", "request_line": "GET \/v1\/config.json HTTP\/1.1", "http_user_agent": "SearchExpress", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v1\/config.json", "evidence_snippet": "GET \/v1\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: SearchExpress\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCo", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 64 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950468:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:42 UTC	TCP	8220 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8220 · (tentative d'exploit) · → /deploy/config.json	Élevée	Moyen · 60
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /deploy/config.json UA Opera/9.80 (Windows NT 5.1; U; zh-tw) Presto/2.8.131 Version/11… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_sensitive_path Cible HTTP GET /deploy/config.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /deploy/config.json Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 60 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /deploy/config.json HTTP/1.1` User-Agent Opera/9.80 (Windows NT 5.1; U; zh-tw) Presto/2.8.131 Version/11.10 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /deploy/config.json HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Opera/9.80 (Windows NT 5.1; U; zh-tw) Presto/2.8.131 Versio Requête brute (extrait) GET /deploy/config.json HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Opera/9.80 (Windows NT 5.1; U; zh-tw) Presto/2.8.131 Version/11.10 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "f5aa68ce0d176daced3e5603621b296b2ab1a7e7", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "587e02f3a200b756d82c89e452c9f9e918723ae0", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 204, "payload_entropy": 5.218752097956891, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 84, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 60, "tag_count": 5, "anomaly_count": 0, "campaign_key": "4a2895560ff2351445c67cf08dcc35a7389a704a", "event_fingerprint": "38fbd8c85ffd5f49213837470d022edf24facb4e", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 60, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "97f443d87205c2b6684b7ad10f42aec7", "payload_hash": "57770180512f50b9b5935124e9a3d255", "path_pattern_hash": "95089f1ddd4262d3d914f991599d5080" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 60 }, "payload_preview": "GET \/deploy\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Opera\/9.80 (Windows NT 5.1; U; zh-tw) Presto\/2.8.131 Versio", "method": "GET", "path": "\/deploy\/config.json", "user_agent": "Opera\/9.80 (Windows NT 5.1; U; zh-tw) Presto\/2.8.131 Version\/11.10", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/deploy\/config.json HTTP\/1.1", "request_sample": "GET \/deploy\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Opera\/9.80 (Windows NT 5.1; U; zh-tw) Presto\/2.8.131 Version\/11.10\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/deploy\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Opera\/9.80 (Windows NT 5.1; U; zh-tw) Presto\/2.8.131 Versio", "evidence": { "method": "GET", "path": "\/deploy\/config.json", "user_agent": "Opera\/9.80 (Windows NT 5.1; U; zh-tw) Presto\/2.8.131 Version\/11.10", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/deploy\/config.json HTTP\/1.1", "request_sample": "GET \/deploy\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Opera\/9.80 (Windows NT 5.1; U; zh-tw) Presto\/2.8.131 Version\/11.10\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/deploy\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Opera\/9.80 (Windows NT 5.1; U; zh-tw) Presto\/2.8.131 Versio", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6bd27c75664e82894cde73ed18405056f5bad7c8", "protocol_details": { "http_method": "GET", "http_path": "\/deploy\/config.json", "request_line": "GET \/deploy\/config.json HTTP\/1.1", "http_user_agent": "Opera\/9.80 (Windows NT 5.1; U; zh-tw) Presto\/2.8.131 Version\/11.10", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/deploy\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Opera\/9.80 (Windows NT 5.1; U; zh-tw) Presto\/2.8.131 Versio", "attack_vector": "config file probe \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/deploy\/config.json", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 60, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 60, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/deploy\/config.json", "request_line": "GET \/deploy\/config.json HTTP\/1.1", "http_user_agent": "Opera\/9.80 (Windows NT 5.1; U; zh-tw) Presto\/2.8.131 Version\/11.10", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/deploy\/config.json", "evidence_snippet": "GET \/deploy\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Opera\/9.80 (Windows NT 5.1; U; zh-tw) Presto\/2.8.131 Versio", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:42 UTC	TCP	8220 · HTTP	http	Flood / DDoS http flood · via HTTP:8220 · (tentative d'exploit) · → /config/database.json	Élevée	Élevé · 68
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /config/database.json UA grub-client-1.5.3; (grub-client-1.5.3; Crawl your own stuff wit… Émulateur HTTP WAF 25 Recommandation Investiguer Tags 950326:rce-0 950406:ssrf-3 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /config/database.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /config/database.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 68 Confiance : Confiance 100 % — 4 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /config/database.json HTTP/1.1` User-Agent grub-client-1.5.3; (grub-client-1.5.3; Crawl your own stuff with http://grub.org) Règles WAF rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /config/database.json HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: grub-client-1.5.3; (grub-client-1.5.3; Crawl your own stu Requête brute (extrait) GET /config/database.json HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: grub-client-1.5.3; (grub-client-1.5.3; Crawl your own stuff with http://grub.org) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "71db9053bdd13c7da9dd4c39adbdf0ed0813434b", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "942ff77c5ee7a45ad41df6b61bbcc8c510b2de01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 221, "payload_entropy": 5.1480059954415855, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.9, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 68, "tag_count": 6, "anomaly_count": 0, "campaign_key": "03b2b040aed7f9a61e012000cb78b3b2e3b0747d", "event_fingerprint": "b0646528e699e95b7baccd7468636fc95b66c046", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e007145ba50bb31fd795f52669fba6cd", "payload_hash": "14f10bfb4b7fb8aa2ae382d9c26d0c82", "path_pattern_hash": "571ed335a10c7335c4655f72fb6293ea" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 68 }, "payload_preview": "GET \/config\/database.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: grub-client-1.5.3; (grub-client-1.5.3; Crawl your own stu", "method": "GET", "path": "\/config\/database.json", "user_agent": "grub-client-1.5.3; (grub-client-1.5.3; Crawl your own stuff with http:\/\/grub.org)", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/config\/database.json HTTP\/1.1", "request_sample": "GET \/config\/database.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: grub-client-1.5.3; (grub-client-1.5.3; Crawl your own stuff with http:\/\/grub.org)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/database.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: grub-client-1.5.3; (grub-client-1.5.3; Crawl your own stu", "evidence": { "method": "GET", "path": "\/config\/database.json", "user_agent": "grub-client-1.5.3; (grub-client-1.5.3; Crawl your own stuff with http:\/\/grub.org)", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/config\/database.json HTTP\/1.1", "request_sample": "GET \/config\/database.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: grub-client-1.5.3; (grub-client-1.5.3; Crawl your own stuff with http:\/\/grub.org)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/database.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: grub-client-1.5.3; (grub-client-1.5.3; Crawl your own stu", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0a12100639288cabc924563d775c1377dfdf5044", "protocol_details": { "http_method": "GET", "http_path": "\/config\/database.json", "request_line": "GET \/config\/database.json HTTP\/1.1", "http_user_agent": "grub-client-1.5.3; (grub-client-1.5.3; Crawl your own stuff with http:\/\/grub.org)", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/database.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: grub-client-1.5.3; (grub-client-1.5.3; Crawl your own stu", "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/database.json", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 68, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/database.json", "request_line": "GET \/config\/database.json HTTP\/1.1", "http_user_agent": "grub-client-1.5.3; (grub-client-1.5.3; Crawl your own stuff with http:\/\/grub.org)", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/database.json", "evidence_snippet": "GET \/config\/database.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: grub-client-1.5.3; (grub-client-1.5.3; Crawl your own stu", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:42 UTC	TCP	8220 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8220 · (tentative d'exploit) · → /v2/config.json	Élevée	Élevé · 66
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /v2/config.json UA Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /v2/config.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /v2/config.json Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 66 Confiance : Confiance 100 % — 4 tag(s) WAF Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /v2/config.json HTTP/1.1` User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.0 Safari/532.5 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /v2/config.json HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532 Requête brute (extrait) GET /v2/config.json HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.0 Safari/532.5 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "289f4c295ae7f09c1eee743f7f4cd8518b47179b", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "504546e13c6c46b821dc777793aed750fb706b7d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 249, "payload_entropy": 5.407264148855097, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.9, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 66, "tag_count": 6, "anomaly_count": 0, "campaign_key": "ecb0a415448766d3eed5ceb73dae43eff8bc2f1e", "event_fingerprint": "dc8d19cffab21f3b149b0a970aa8381662519fe5", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "95883dd05f3e1c6a42007821f8bf3c58", "payload_hash": "a3adcfef49ead6e8bbc47882c5b92d72", "path_pattern_hash": "00362549a7b517b90a1400deaafa2985" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 66 }, "payload_preview": "GET \/v2\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532", "method": "GET", "path": "\/v2\/config.json", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532.5 (KHTML, like Gecko) Chrome\/4.0.249.0 Safari\/532.5", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/v2\/config.json HTTP\/1.1", "request_sample": "GET \/v2\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532.5 (KHTML, like Gecko) Chrome\/4.0.249.0 Safari\/532.5\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/v2\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532", "evidence": { "method": "GET", "path": "\/v2\/config.json", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532.5 (KHTML, like Gecko) Chrome\/4.0.249.0 Safari\/532.5", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/v2\/config.json HTTP\/1.1", "request_sample": "GET \/v2\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532.5 (KHTML, like Gecko) Chrome\/4.0.249.0 Safari\/532.5\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/v2\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a9992a98e878842ff033807d6f940e463e523b66", "protocol_details": { "http_method": "GET", "http_path": "\/v2\/config.json", "request_line": "GET \/v2\/config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532.5 (KHTML, like Gecko) Chrome\/4.0.249.0 Safari\/532.5", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/v2\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532", "attack_vector": "config file probe \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v2\/config.json", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 66, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/v2\/config.json", "request_line": "GET \/v2\/config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532.5 (KHTML, like Gecko) Chrome\/4.0.249.0 Safari\/532.5", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v2\/config.json", "evidence_snippet": "GET \/v2\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:42 UTC	TCP	8220 · HTTP	http	Sonde fichier credential / clé credential file probe · via HTTP:8220 · (tentative d'exploit) · → /server/credentials.json	Élevée	Moyen · 61
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET /server/credentials.json UA Mozilla/5.0 (iPad; CPU OS 12_4 like Mac OS X) AppleWebKit/605.1… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /server/credentials.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /server/credentials.json Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier credential/clé · Règle WAF « rce-0 » · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 61 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux pat-0472 Upstream Waf Score Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred Credentials JSON Ligne de requête `GET /server/credentials.json HTTP/1.1` User-Agent Mozilla/5.0 (iPad; CPU OS 12_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 Flipboard/4.2.48 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /server/credentials.json HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (iPad; CPU OS 12_4 like Mac OS X) AppleWeb Requête brute (extrait) GET /server/credentials.json HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (iPad; CPU OS 12_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 Flipboard/4.2.48 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "68ec54197085b2d356c6afb05129b4f08147874c", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "0448476e8596bfb535234584ac471c02983c6fe7", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 260, "payload_entropy": 5.391403666441118, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 84, "risk_classification": 82, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.2, "risk_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 61, "tag_count": 4, "anomaly_count": 0, "campaign_key": "cd916c94d7b64d1894e48f58e590375438c425fc", "event_fingerprint": "c0b1ec7125de6a417256a29ec858ad03db1493a9", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0472", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "pat-0472", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0472" ], "matched_pattern_names": [ "Cred Credentials JSON" ], "pattern_ids": [ "pat-0472" ], "confidence_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 61, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "lfi_attack", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "5e3199a6640667a88d56d27fb06a1eb6", "payload_hash": "8cbfb53f5fd873e17150a60519cac57c", "path_pattern_hash": "017fc0dcd972a4e3aefd53875717b41b" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 61 }, "payload_preview": "GET \/server\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 12_4 like Mac OS X) AppleWeb", "method": "GET", "path": "\/server\/credentials.json", "user_agent": "Mozilla\/5.0 (iPad; CPU OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148 Flipboard\/4.2.48", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/server\/credentials.json HTTP\/1.1", "request_sample": "GET \/server\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148 Flipboard\/4.2.48\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close", "payload_snippet": "GET \/server\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 12_4 like Mac OS X) AppleWeb", "evidence": { "method": "GET", "path": "\/server\/credentials.json", "user_agent": "Mozilla\/5.0 (iPad; CPU OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148 Flipboard\/4.2.48", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/server\/credentials.json HTTP\/1.1", "request_sample": "GET \/server\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148 Flipboard\/4.2.48\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close", "payload_snippet": "GET \/server\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 12_4 like Mac OS X) AppleWeb", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "871560afb0fd74aa8ad883066d8e8caf47a51ea1", "protocol_details": { "http_method": "GET", "http_path": "\/server\/credentials.json", "request_line": "GET \/server\/credentials.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPad; CPU OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148 Flipboard\/4.2.48", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/server\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 12_4 like Mac OS X) AppleWeb", "attack_vector": "credential file probe \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server\/credentials.json", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 61, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 61, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "pat-0472", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "pat-0472", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/server\/credentials.json", "request_line": "GET \/server\/credentials.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPad; CPU OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148 Flipboard\/4.2.48", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "credential file probe \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server\/credentials.json", "evidence_snippet": "GET \/server\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 12_4 like Mac OS X) AppleWeb", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:42 UTC	TCP	8220 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8220 · (tentative d'exploit) · → /private/config.json	Élevée	Moyen · 61
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /private/config.json UA Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_private Cible HTTP GET /private/config.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /private/config.json Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 61 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /private/config.json HTTP/1.1` User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.0 Safari/532.5 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /private/config.json HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKi Requête brute (extrait) GET /private/config.json HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.0 Safari/532.5 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "289f4c295ae7f09c1eee743f7f4cd8518b47179b", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "9da8385e7491d9f52a230e3a1c8c565aba119417", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 254, "payload_entropy": 5.401399417123301, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 84, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.9, "risk_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 61, "tag_count": 6, "anomaly_count": 0, "campaign_key": "4ba82ff995f6995638142490c8a78d8bbd7241f7", "event_fingerprint": "525c622a5404205b026464ded9262882e107f3c7", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 61, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "95883dd05f3e1c6a42007821f8bf3c58", "payload_hash": "0648fa8a21b52e9d6908984cea47f23c", "path_pattern_hash": "a8e2e774a183bdb09e7d488718c8d6ab" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 61 }, "payload_preview": "GET \/private\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKi", "method": "GET", "path": "\/private\/config.json", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532.5 (KHTML, like Gecko) Chrome\/4.0.249.0 Safari\/532.5", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/private\/config.json HTTP\/1.1", "request_sample": "GET \/private\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532.5 (KHTML, like Gecko) Chrome\/4.0.249.0 Safari\/532.5\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/private\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKi", "evidence": { "method": "GET", "path": "\/private\/config.json", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532.5 (KHTML, like Gecko) Chrome\/4.0.249.0 Safari\/532.5", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/private\/config.json HTTP\/1.1", "request_sample": "GET \/private\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532.5 (KHTML, like Gecko) Chrome\/4.0.249.0 Safari\/532.5\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/private\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKi", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "18b0abcb36a04e8c10fc28ca013231c42b33d216", "protocol_details": { "http_method": "GET", "http_path": "\/private\/config.json", "request_line": "GET \/private\/config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532.5 (KHTML, like Gecko) Chrome\/4.0.249.0 Safari\/532.5", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/private\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKi", "attack_vector": "config file probe \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/private\/config.json", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 61, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 61, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/private\/config.json", "request_line": "GET \/private\/config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532.5 (KHTML, like Gecko) Chrome\/4.0.249.0 Safari\/532.5", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/private\/config.json", "evidence_snippet": "GET \/private\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKi", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_private", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:42 UTC	TCP	8220 · HTTP	http	Flood / DDoS http flood · via HTTP:8220 · (tentative d'exploit) · → /internal/config.yml	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /internal/config.yml UA Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, … Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_internal Cible HTTP GET /internal/config.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /internal/config.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /internal/config.yml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Maxthon/4.4.6.1000 Chrome/30.0.1599.101 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /internal/config.yml HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KH Requête brute (extrait) GET /internal/config.yml HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Maxthon/4.4.6.1000 Chrome/30.0.1599.101 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "yml", "http_ua_hash": "77386173a51c69d052a81adc26feda5cc4412563", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "84b99aee73556df7a4efeffa522f9587a983cdbf", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 267, "payload_entropy": 5.432081285441951, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 62, "tag_count": 5, "anomaly_count": 0, "campaign_key": "4afbbc75e08293cec126d57d99298d31970280ec", "event_fingerprint": "51d91aa36884c7911a303c72ada52edb7fc49a67", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "2a44d75dc0e34a4ede90a7d746fb5f07", "payload_hash": "69269519b108bcaa9e1e41bd851eb2a1", "path_pattern_hash": "2e4a225629002cdfe7eaf4ad6aeee5e3" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/internal\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KH", "method": "GET", "path": "\/internal\/config.yml", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Maxthon\/4.4.6.1000 Chrome\/30.0.1599.101 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/internal\/config.yml HTTP\/1.1", "request_sample": "GET \/internal\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Maxthon\/4.4.6.1000 Chrome\/30.0.1599.101 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection", "payload_snippet": "GET \/internal\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KH", "evidence": { "method": "GET", "path": "\/internal\/config.yml", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Maxthon\/4.4.6.1000 Chrome\/30.0.1599.101 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/internal\/config.yml HTTP\/1.1", "request_sample": "GET \/internal\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Maxthon\/4.4.6.1000 Chrome\/30.0.1599.101 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection", "payload_snippet": "GET \/internal\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KH", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "17ac12864c7734f6ca6b5ba8a11e2b61f05b8756", "protocol_details": { "http_method": "GET", "http_path": "\/internal\/config.yml", "request_line": "GET \/internal\/config.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Maxthon\/4.4.6.1000 Chrome\/30.0.1599.101 Safa\u2026", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/internal\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KH", "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/internal\/config.yml", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/internal\/config.yml", "request_line": "GET \/internal\/config.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Maxthon\/4.4.6.1000 Chrome\/30.0.1599.101 Safa\u2026", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/internal\/config.yml", "evidence_snippet": "GET \/internal\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KH", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_internal", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:42 UTC	TCP	8220 · HTTP	http	Flood / DDoS http flood · via HTTP:8220 · (tentative d'exploit) · → /config/cache.php	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /config/cache.php UA Opera/9.80 (Android; Opera Mini/7.5.33361/31.1543; U; en) Prest… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/cache.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /config/cache.php Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/cache.php HTTP/1.1` User-Agent Opera/9.80 (Android; Opera Mini/7.5.33361/31.1543; U; en) Presto/2.8.119 Version/11.1010 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/cache.php HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Opera/9.80 (Android; Opera Mini/7.5.33361/31.1543; U; en) Pre Requête brute (extrait) GET /config/cache.php HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Opera/9.80 (Android; Opera Mini/7.5.33361/31.1543; U; en) Presto/2.8.119 Version/11.1010 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "3658febe4dfb662dd247689cfc055f8485cd9115", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "9692de7bdad9583db6331e50d4b9dacf18ddb2e0", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 224, "payload_entropy": 5.176578571000948, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 62, "tag_count": 5, "anomaly_count": 0, "campaign_key": "1b39a110037ca7732715af5c891f8bef8a3aa087", "event_fingerprint": "07862b66924dc4317012a8f3d0ec3a78cb80d91d", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6d0ca10280eaf9ba3b16ab6eae25c98c", "payload_hash": "4e8eafed035891472741eac49a21d053", "path_pattern_hash": "875d6aa330eaf796664c4387fbf0c3b1" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/config\/cache.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Opera\/9.80 (Android; Opera Mini\/7.5.33361\/31.1543; U; en) Pre", "method": "GET", "path": "\/config\/cache.php", "user_agent": "Opera\/9.80 (Android; Opera Mini\/7.5.33361\/31.1543; U; en) Presto\/2.8.119 Version\/11.1010", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/cache.php HTTP\/1.1", "request_sample": "GET \/config\/cache.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Opera\/9.80 (Android; Opera Mini\/7.5.33361\/31.1543; U; en) Presto\/2.8.119 Version\/11.1010\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/cache.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Opera\/9.80 (Android; Opera Mini\/7.5.33361\/31.1543; U; en) Pre", "evidence": { "method": "GET", "path": "\/config\/cache.php", "user_agent": "Opera\/9.80 (Android; Opera Mini\/7.5.33361\/31.1543; U; en) Presto\/2.8.119 Version\/11.1010", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/cache.php HTTP\/1.1", "request_sample": "GET \/config\/cache.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Opera\/9.80 (Android; Opera Mini\/7.5.33361\/31.1543; U; en) Presto\/2.8.119 Version\/11.1010\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/cache.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Opera\/9.80 (Android; Opera Mini\/7.5.33361\/31.1543; U; en) Pre", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fdff00544ee365bfb92a6447ef311d8e5d73ec5b", "protocol_details": { "http_method": "GET", "http_path": "\/config\/cache.php", "request_line": "GET \/config\/cache.php HTTP\/1.1", "http_user_agent": "Opera\/9.80 (Android; Opera Mini\/7.5.33361\/31.1543; U; en) Presto\/2.8.119 Version\/11.1010", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/cache.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Opera\/9.80 (Android; Opera Mini\/7.5.33361\/31.1543; U; en) Pre", "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/cache.php", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/cache.php", "request_line": "GET \/config\/cache.php HTTP\/1.1", "http_user_agent": "Opera\/9.80 (Android; Opera Mini\/7.5.33361\/31.1543; U; en) Presto\/2.8.119 Version\/11.1010", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/cache.php", "evidence_snippet": "GET \/config\/cache.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Opera\/9.80 (Android; Opera Mini\/7.5.33361\/31.1543; U; en) Pre", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:42 UTC	TCP	8220 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8220 · (tentative d'exploit) · → /wp-config.php~	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /wp-config.php~ UA Mozilla/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod™_Version)… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950518:leak-5 http_backup_file_scan Cible HTTP GET /wp-config.php~ TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /wp-config.php~ Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 63 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0195 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /wp-config.php Ligne de requête `GET /wp-config.php~ HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod™_Version) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-5 Payload (extrait) GET /wp-config.php~ HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod™_Versio Requête brute (extrait) GET /wp-config.php~ HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod™_Version) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzi Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "php~", "http_ua_hash": "d1fe78cc4b2390aa57ab35fd24fafa28626a16ef", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "863c7f3ef890e19c474d54faa2637f21aa61f24b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 280, "payload_entropy": 5.503117298738884, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.9, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 63, "tag_count": 6, "anomaly_count": 0, "campaign_key": "de7ba9e760ffb0492d87b0071d7d19880881485a", "event_fingerprint": "19ed0362e295028e21c4e2fd7dddd2619f38c2de", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0195", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0195", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0195" ], "matched_pattern_names": [ "Probe \/wp-config.php" ], "pattern_ids": [ "pat-0195" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "89118e8e7adfb61feb0c5082572d1e14", "payload_hash": "3f96b3687174300ce5a9a32a577fd10c", "path_pattern_hash": "01859822ace956c1e8cfef788e43bcce" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/wp-config.php~ HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_Versio", "method": "GET", "path": "\/wp-config.php~", "user_agent": "Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_Version) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-5" ], "request_line": "GET \/wp-config.php~ HTTP\/1.1", "request_sample": "GET \/wp-config.php~ HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_Version) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzi", "payload_snippet": "GET \/wp-config.php~ HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_Versio", "evidence": { "method": "GET", "path": "\/wp-config.php~", "user_agent": "Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_Version) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-5" ], "request_line": "GET \/wp-config.php~ HTTP\/1.1", "request_sample": "GET \/wp-config.php~ HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_Version) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzi", "payload_snippet": "GET \/wp-config.php~ HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_Versio", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d83ee1ec74c17bff777f75f39972bf929475d9cd", "protocol_details": { "http_method": "GET", "http_path": "\/wp-config.php~", "request_line": "GET \/wp-config.php~ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_Version) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770\u2026", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/wp-config.php~ HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_Versio", "attack_vector": "config file probe \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wp-config.php~", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0195", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0195", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/wp-config.php~", "request_line": "GET \/wp-config.php~ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_Version) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770\u2026", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wp-config.php~", "evidence_snippet": "GET \/wp-config.php~ HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_Versio", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:42 UTC	TCP	8220 · HTTP	http	Flood / DDoS http flood · via HTTP:8220 · (tentative d'exploit) · → /config/application.properties	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /config/application.properties UA Mozilla/5.0 (Linux; Android 8.1.0; ZB602KL) AppleWebKit/537.36 … Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/application.properties TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /config/application.properties Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/application.properties HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.1.0; ZB602KL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/application.properties HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; ZB602KL) Appl Requête brute (extrait) GET /config/application.properties HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; ZB602KL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Conne Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "properties", "http_ua_hash": "9cf6b14f51ea8a497712cc0db340c00065a2319e", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "19466bed7c4f7605a6c5066001d33e4cf1ce8497", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 272, "payload_entropy": 5.383328339219245, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 62, "tag_count": 5, "anomaly_count": 0, "campaign_key": "1b39a110037ca7732715af5c891f8bef8a3aa087", "event_fingerprint": "e7b10bb02a7fd765a548de9fdcf41542305c5e8b", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e864e759701f5d391e397ecd8c8e656e", "payload_hash": "472cc5fbe62c28d177bd5e52daed4bd3", "path_pattern_hash": "4e42f78bea2104e7cf7ee364ae009f68" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/config\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; ZB602KL) Appl", "method": "GET", "path": "\/config\/application.properties", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; ZB602KL) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/application.properties HTTP\/1.1", "request_sample": "GET \/config\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; ZB602KL) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConne", "payload_snippet": "GET \/config\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; ZB602KL) Appl", "evidence": { "method": "GET", "path": "\/config\/application.properties", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; ZB602KL) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/application.properties HTTP\/1.1", "request_sample": "GET \/config\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; ZB602KL) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConne", "payload_snippet": "GET \/config\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; ZB602KL) Appl", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6e3e37079feca06debfd557f03c6e16f4b2ce0fb", "protocol_details": { "http_method": "GET", "http_path": "\/config\/application.properties", "request_line": "GET \/config\/application.properties HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; ZB602KL) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/53\u2026", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; ZB602KL) Appl", "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/application.properties", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/application.properties", "request_line": "GET \/config\/application.properties HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; ZB602KL) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/53\u2026", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/application.properties", "evidence_snippet": "GET \/config\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; ZB602KL) Appl", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:42 UTC	TCP	8220 · HTTP	http	Flood / DDoS http flood · via HTTP:8220 · (tentative d'exploit) · → /wp-config.txt	Élevée	Moyen · 53
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /wp-config.txt UA Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.15 (K… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /wp-config.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /wp-config.txt Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 53 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /wp-config.txt HTTP/1.1` User-Agent Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.15 (KHTML, like Gecko) Chrome/10.0.613.0 Safari/534.15 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /wp-config.txt HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.15 (KH Requête brute (extrait) GET /wp-config.txt HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.15 (KHTML, like Gecko) Chrome/10.0.613.0 Safari/534.15 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "be1b0422073ac373e9c719ca6b743a7fcb737ca2", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "9af9cb129e55c20d8a5abcb3dfd6798fb7b03f7d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 245, "payload_entropy": 5.427128889612341, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 53, "tag_count": 3, "anomaly_count": 0, "campaign_key": "f39dd65a535047fd3b661597b27e5ec3d606ffba", "event_fingerprint": "ee2673703f9458e2a739a7ba4b964b2e42e39ede", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 53, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "729eda3df9bea18b602258c2de583c94", "payload_hash": "5b07e6ce0269eae3bf7760e5636030e2", "path_pattern_hash": "8879b59407d37d82c9009d4ff34dd568" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 53 }, "payload_preview": "GET \/wp-config.txt HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/534.15 (KH", "method": "GET", "path": "\/wp-config.txt", "user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/534.15 (KHTML, like Gecko) Chrome\/10.0.613.0 Safari\/534.15", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/wp-config.txt HTTP\/1.1", "request_sample": "GET \/wp-config.txt HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/534.15 (KHTML, like Gecko) Chrome\/10.0.613.0 Safari\/534.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/wp-config.txt HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/534.15 (KH", "evidence": { "method": "GET", "path": "\/wp-config.txt", "user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/534.15 (KHTML, like Gecko) Chrome\/10.0.613.0 Safari\/534.15", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/wp-config.txt HTTP\/1.1", "request_sample": "GET \/wp-config.txt HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/534.15 (KHTML, like Gecko) Chrome\/10.0.613.0 Safari\/534.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/wp-config.txt HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/534.15 (KH", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3c5bcd3980e6deeeb4330a2c23c25179c38b513e", "protocol_details": { "http_method": "GET", "http_path": "\/wp-config.txt", "request_line": "GET \/wp-config.txt HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/534.15 (KHTML, like Gecko) Chrome\/10.0.613.0 Safari\/534.15", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/wp-config.txt HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/534.15 (KH", "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wp-config.txt", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 53, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 53, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/wp-config.txt", "request_line": "GET \/wp-config.txt HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/534.15 (KHTML, like Gecko) Chrome\/10.0.613.0 Safari\/534.15", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wp-config.txt", "evidence_snippet": "GET \/wp-config.txt HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/534.15 (KH", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:42 UTC	TCP	8220 · HTTP	http	Flood / DDoS http flood · via HTTP:8220 · (tentative d'exploit) · → /settings/base.py	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /settings/base.py UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_settings Cible HTTP GET /settings/base.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /settings/base.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /settings/base.py HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36 Vivaldi/1.0.344.37 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /settings/base.py HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, li Requête brute (extrait) GET /settings/base.py HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36 Vivaldi/1.0.344.37 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "py", "http_ua_hash": "e1b6e7e91612bc862b133aa7e6977b5a0c829510", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "63738cb5dcf9f3714e49039b7f1d4a7979e8e84b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 259, "payload_entropy": 5.459870219336971, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 62, "tag_count": 5, "anomaly_count": 0, "campaign_key": "a29bf5986e383562845087dfdccc68585053a466", "event_fingerprint": "90bac94998dcc72b18f5da7f2bf7df61ad3a0ebe", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "8f43f9b340b8b3c6dafad3a297349b5f", "payload_hash": "bf16f2bb958a40972c8befa62d46659d", "path_pattern_hash": "0b306e5ed377ac070d67be2675e6b336" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/settings\/base.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "method": "GET", "path": "\/settings\/base.py", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/47.0.2526.80 Safari\/537.36 Vivaldi\/1.0.344.37", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/settings\/base.py HTTP\/1.1", "request_sample": "GET \/settings\/base.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/47.0.2526.80 Safari\/537.36 Vivaldi\/1.0.344.37\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/settings\/base.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "evidence": { "method": "GET", "path": "\/settings\/base.py", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/47.0.2526.80 Safari\/537.36 Vivaldi\/1.0.344.37", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/settings\/base.py HTTP\/1.1", "request_sample": "GET \/settings\/base.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/47.0.2526.80 Safari\/537.36 Vivaldi\/1.0.344.37\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/settings\/base.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "db3422fba53f077bcf92d995620b2753ebe40875", "protocol_details": { "http_method": "GET", "http_path": "\/settings\/base.py", "request_line": "GET \/settings\/base.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/47.0.2526.80 Safari\/537.36 Vivaldi\/1.0.34\u2026", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/settings\/base.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/settings\/base.py", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/settings\/base.py", "request_line": "GET \/settings\/base.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/47.0.2526.80 Safari\/537.36 Vivaldi\/1.0.34\u2026", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/settings\/base.py", "evidence_snippet": "GET \/settings\/base.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_settings", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:42 UTC	TCP	8220 · HTTP	http	Flood / DDoS http flood · via HTTP:8220 · (tentative d'exploit) · → /settings/local.py	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /settings/local.py UA Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9.2.1… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_settings Cible HTTP GET /settings/local.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /settings/local.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /settings/local.py HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /settings/local.py HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9. Requête brute (extrait) GET /settings/local.py HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "py", "http_ua_hash": "0fc09560e7cefb24fc2c36d478eb96a34ea61796", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "785278c4abd87c1e8614b6fc434460fa3c60167e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 232, "payload_entropy": 5.277551828422388, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 62, "tag_count": 5, "anomaly_count": 0, "campaign_key": "a29bf5986e383562845087dfdccc68585053a466", "event_fingerprint": "a93d7cf5d9034ffff825272e44ba0f7b3359ea97", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0765d363a2f4e17ed6662441ebe726a5", "payload_hash": "3e136b65777fa382f3d5cad48c18fa18", "path_pattern_hash": "cfa2a71e8214ea6e643d4c02e89cc6cb" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/settings\/local.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9.", "method": "GET", "path": "\/settings\/local.py", "user_agent": "Mozilla\/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9.2.15) Gecko\/20110303 Firefox\/3.6.15", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/settings\/local.py HTTP\/1.1", "request_sample": "GET \/settings\/local.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9.2.15) Gecko\/20110303 Firefox\/3.6.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/settings\/local.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9.", "evidence": { "method": "GET", "path": "\/settings\/local.py", "user_agent": "Mozilla\/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9.2.15) Gecko\/20110303 Firefox\/3.6.15", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/settings\/local.py HTTP\/1.1", "request_sample": "GET \/settings\/local.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9.2.15) Gecko\/20110303 Firefox\/3.6.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/settings\/local.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9.", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "27dea7e88d29a44f3d6591963ed258524358e574", "protocol_details": { "http_method": "GET", "http_path": "\/settings\/local.py", "request_line": "GET \/settings\/local.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9.2.15) Gecko\/20110303 Firefox\/3.6.15", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/settings\/local.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9.", "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/settings\/local.py", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/settings\/local.py", "request_line": "GET \/settings\/local.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9.2.15) Gecko\/20110303 Firefox\/3.6.15", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/settings\/local.py", "evidence_snippet": "GET \/settings\/local.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9.", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_settings", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:42 UTC	TCP	8220 · HTTP	http	Flood / DDoS http flood · via HTTP:8220 · (tentative d'exploit) · → /app/config/parameters.yaml	Élevée	Moyen · 61
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /app/config/parameters.yaml UA Mozilla/5.0 (Linux; Android 9; SM-G965F) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /app/config/parameters.yaml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /app/config/parameters.yaml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 61 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/config/parameters.yaml HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; SM-G965F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /app/config/parameters.yaml HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G965F) AppleWebKi Requête brute (extrait) GET /app/config/parameters.yaml HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G965F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "yaml", "http_ua_hash": "521eae25998e470859810ebe6a8a836051c1b2aa", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "83aab3d7a9203cac49bf41e0b5a1c79c704b2790", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 267, "payload_entropy": 5.437687322778582, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.2, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 61, "tag_count": 4, "anomaly_count": 0, "campaign_key": "b71a3640df738d3e2ffb392f73ae06414f4a9a0b", "event_fingerprint": "9a339f50c5a3d638c531fb23c8c8553e13bea388", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 61, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "9b2ce34d57c38b17869871ab02145de0", "payload_hash": "36fc38b4faa97aec2e41389e6fa33676", "path_pattern_hash": "8c6e5c3e505e4438940b3e0a90e2956a" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 61 }, "payload_preview": "GET \/app\/config\/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKi", "method": "GET", "path": "\/app\/config\/parameters.yaml", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app\/config\/parameters.yaml HTTP\/1.1", "request_sample": "GET \/app\/config\/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection", "payload_snippet": "GET \/app\/config\/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKi", "evidence": { "method": "GET", "path": "\/app\/config\/parameters.yaml", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app\/config\/parameters.yaml HTTP\/1.1", "request_sample": "GET \/app\/config\/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection", "payload_snippet": "GET \/app\/config\/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKi", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f14379892a2ccbdce35f5effc8371f6f529b96a6", "protocol_details": { "http_method": "GET", "http_path": "\/app\/config\/parameters.yaml", "request_line": "GET \/app\/config\/parameters.yaml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.\u2026", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app\/config\/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKi", "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/config\/parameters.yaml", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 61, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 61, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/app\/config\/parameters.yaml", "request_line": "GET \/app\/config\/parameters.yaml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.\u2026", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/config\/parameters.yaml", "evidence_snippet": "GET \/app\/config\/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKi", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:42 UTC	TCP	8220 · HTTP	http	Flood / DDoS http flood · via HTTP:8220 · (tentative d'exploit) · → /project/settings.py	Élevée	Moyen · 61
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /project/settings.py UA Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /project/settings.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /project/settings.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 61 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Django settings Ligne de requête `GET /project/settings.py HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /project/settings.py HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.3 Requête brute (extrait) GET /project/settings.py HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "py", "http_ua_hash": "e4861f8679e5155f9842a79480d4310270e3f871", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "11966cc72e0bfecaa733acc41e44392e18b681e0", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 252, "payload_entropy": 5.405570237574837, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.2, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 61, "tag_count": 4, "anomaly_count": 0, "campaign_key": "b71a3640df738d3e2ffb392f73ae06414f4a9a0b", "event_fingerprint": "661901db27507c7a13b15edee43c48de048dff8a", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0112" ], "matched_pattern_names": [ "LFI Django settings" ], "pattern_ids": [ "pat-0112" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 61, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6a6d38f375f05245fc45ae61302800d5", "payload_hash": "da0d9ab5d500622c9f9ff9d1a187364e", "path_pattern_hash": "c29c8a7c1efc84947f863a90ed9e7db7" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 61 }, "payload_preview": "GET \/project\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.3", "method": "GET", "path": "\/project\/settings.py", "user_agent": "Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/project\/settings.py HTTP\/1.1", "request_sample": "GET \/project\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/project\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.3", "evidence": { "method": "GET", "path": "\/project\/settings.py", "user_agent": "Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/project\/settings.py HTTP\/1.1", "request_sample": "GET \/project\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/project\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.3", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c50f136a59c8aec3d0b84362edcc920c0f3c4493", "protocol_details": { "http_method": "GET", "http_path": "\/project\/settings.py", "request_line": "GET \/project\/settings.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/project\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.3", "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/project\/settings.py", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 61, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 61, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/project\/settings.py", "request_line": "GET \/project\/settings.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/project\/settings.py", "evidence_snippet": "GET \/project\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.3", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:42 UTC	TCP	8220 · HTTP	http	Flood / DDoS http flood · via HTTP:8220 · (tentative d'exploit) · → /storage/logs/laravel.log	Élevée	Élevé · 68
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /storage/logs/laravel.log UA FeedFetcher-Google; ( http://www.google.com/feedfetcher.html) Émulateur HTTP WAF 25 Recommandation Investiguer Tags 950326:rce-0 950406:ssrf-3 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /storage/logs/laravel.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /storage/logs/laravel.log Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 68 Confiance : Confiance 100 % — 4 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass LFI Laravel log Ligne de requête `GET /storage/logs/laravel.log HTTP/1.1` User-Agent FeedFetcher-Google; ( http://www.google.com/feedfetcher.html) Règles WAF rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /storage/logs/laravel.log HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: FeedFetcher-Google; ( http://www.google.com/feedfetch Requête brute (extrait) GET /storage/logs/laravel.log HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: FeedFetcher-Google; ( http://www.google.com/feedfetcher.html) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "log", "http_ua_hash": "b14c25079b44d662b2a10bdfc539b8be54c13f94", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "8fec6092b6d50f048de7f5341eb923ae4a4ab6d3", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 205, "payload_entropy": 5.066828244877606, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.9, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 68, "tag_count": 6, "anomaly_count": 0, "campaign_key": "a92b79d5d33b04b9612e6ad8f679a2d9938ee0c1", "event_fingerprint": "e5fb35d8f07559f8faceb712a45316f4f6eb1130", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0103", "pat-0124" ], "matched_pattern_names": [ "LFI Double-dot bypass", "LFI Laravel log" ], "pattern_ids": [ "pat-0103", "pat-0124" ], "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d09871c0c583e0dbd1f2d4f027c289ce", "payload_hash": "a0c6d6d0e9f146252ef7109867247fc3", "path_pattern_hash": "6f29914bb94c22caf991d0657dba887c" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 68 }, "payload_preview": "GET \/storage\/logs\/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: FeedFetcher-Google; ( http:\/\/www.google.com\/feedfetch", "method": "GET", "path": "\/storage\/logs\/laravel.log", "user_agent": "FeedFetcher-Google; ( http:\/\/www.google.com\/feedfetcher.html)", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/storage\/logs\/laravel.log HTTP\/1.1", "request_sample": "GET \/storage\/logs\/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: FeedFetcher-Google; ( http:\/\/www.google.com\/feedfetcher.html)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/storage\/logs\/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: FeedFetcher-Google; ( http:\/\/www.google.com\/feedfetch", "evidence": { "method": "GET", "path": "\/storage\/logs\/laravel.log", "user_agent": "FeedFetcher-Google; ( http:\/\/www.google.com\/feedfetcher.html)", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/storage\/logs\/laravel.log HTTP\/1.1", "request_sample": "GET \/storage\/logs\/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: FeedFetcher-Google; ( http:\/\/www.google.com\/feedfetcher.html)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/storage\/logs\/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: FeedFetcher-Google; ( http:\/\/www.google.com\/feedfetch", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2ccfb50cef1f5044739e4e4f4219a4396dbb15a9", "protocol_details": { "http_method": "GET", "http_path": "\/storage\/logs\/laravel.log", "request_line": "GET \/storage\/logs\/laravel.log HTTP\/1.1", "http_user_agent": "FeedFetcher-Google; ( http:\/\/www.google.com\/feedfetcher.html)", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/storage\/logs\/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: FeedFetcher-Google; ( http:\/\/www.google.com\/feedfetch", "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/storage\/logs\/laravel.log", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 68, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/storage\/logs\/laravel.log", "request_line": "GET \/storage\/logs\/laravel.log HTTP\/1.1", "http_user_agent": "FeedFetcher-Google; ( http:\/\/www.google.com\/feedfetcher.html)", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/storage\/logs\/laravel.log", "evidence_snippet": "GET \/storage\/logs\/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: FeedFetcher-Google; ( http:\/\/www.google.com\/feedfetch", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:42 UTC	TCP	8220 · HTTP	http	Flood / DDoS http flood · via HTTP:8220 · (tentative d'exploit) · → /server/application.properties	Élevée	Moyen · 61
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /server/application.properties UA Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0) Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /server/application.properties TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /server/application.properties Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 61 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /server/application.properties HTTP/1.1` User-Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0) Règles WAF rce-0 nosqli-3 Payload (extrait) GET /server/application.properties HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6. Requête brute (extrait) GET /server/application.properties HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "properties", "http_ua_hash": "008dc8415699fb90c26b0ded6c54f368a639f0d3", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "e433f4a25bea9c7091dd294797aba9f705b3a3fe", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 212, "payload_entropy": 5.233405208216506, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.2, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 61, "tag_count": 4, "anomaly_count": 0, "campaign_key": "b71a3640df738d3e2ffb392f73ae06414f4a9a0b", "event_fingerprint": "c79a4d6d279d6308e53f7a91aae092f3a798b4bb", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 61, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "a83daec8bb9795457aa0ad37dbd69fc7", "payload_hash": "861d7d04a69acaf78870fc278245a5d4", "path_pattern_hash": "e3539cb3f1c980b2fa1f000afb7b6896" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 61 }, "payload_preview": "GET \/server\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.", "method": "GET", "path": "\/server\/application.properties", "user_agent": "Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident\/4.0)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/server\/application.properties HTTP\/1.1", "request_sample": "GET \/server\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident\/4.0)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/server\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.", "evidence": { "method": "GET", "path": "\/server\/application.properties", "user_agent": "Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident\/4.0)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/server\/application.properties HTTP\/1.1", "request_sample": "GET \/server\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident\/4.0)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/server\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "aca3268feb843aa2f3bec909b11c5f615e4697aa", "protocol_details": { "http_method": "GET", "http_path": "\/server\/application.properties", "request_line": "GET \/server\/application.properties HTTP\/1.1", "http_user_agent": "Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident\/4.0)", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/server\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.", "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server\/application.properties", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 61, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 61, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/server\/application.properties", "request_line": "GET \/server\/application.properties HTTP\/1.1", "http_user_agent": "Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident\/4.0)", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server\/application.properties", "evidence_snippet": "GET \/server\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:42 UTC	TCP	8220 · HTTP	http	Flood / DDoS http flood · via HTTP:8220 · (tentative d'exploit) · → /settings/production.py	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /settings/production.py UA Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk/1… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_settings Cible HTTP GET /settings/production.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /settings/production.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /settings/production.py HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk/1.0.13.81_10003810) AppleWebKit/533.16 (KHTML, like Gecko) Version/5.0 Safari/533.16 Silk-Accelerated=true Règles WAF rce-0 nosqli-3 Payload (extrait) GET /settings/production.py HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us Requête brute (extrait) GET /settings/production.py HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk/1.0.13.81_10003810) AppleWebKit/533.16 (KHTML, like Gecko) Version/5.0 Safari/533.16 Silk-Accelerated=true Accept-Charse Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "py", "http_ua_hash": "39b1f0ffae6bc4a4f6615bb6049d12fbf7523f23", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "cc6b445184452f6e13afcdd1d02a9b366ff0376c", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 310, "payload_entropy": 5.347438975327031, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 62, "tag_count": 5, "anomaly_count": 0, "campaign_key": "a29bf5986e383562845087dfdccc68585053a466", "event_fingerprint": "cfba2bfc4fcb0b35c72fdafd593c60ab2ede6386", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "951aeae5c86a184c4c5e3c7911f59e84", "payload_hash": "1b277344896e73de5901fe79fd464990", "path_pattern_hash": "c348ef618ef0bfa50ce56f012c84455f" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/settings\/production.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us", "method": "GET", "path": "\/settings\/production.py", "user_agent": "Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/settings\/production.py HTTP\/1.1", "request_sample": "GET \/settings\/production.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\r\nAccept-Charse", "payload_snippet": "GET \/settings\/production.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us", "evidence": { "method": "GET", "path": "\/settings\/production.py", "user_agent": "Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/settings\/production.py HTTP\/1.1", "request_sample": "GET \/settings\/production.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\r\nAccept-Charse", "payload_snippet": "GET \/settings\/production.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "57ff2208a7958a67756a5683f1406cda49437a55", "protocol_details": { "http_method": "GET", "http_path": "\/settings\/production.py", "request_line": "GET \/settings\/production.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko\u2026", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/settings\/production.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us", "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/settings\/production.py", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/settings\/production.py", "request_line": "GET \/settings\/production.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko\u2026", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/settings\/production.py", "evidence_snippet": "GET \/settings\/production.py HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_settings", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:42 UTC	TCP	8220 · HTTP	http	Flood / DDoS http flood · via HTTP:8220 · (tentative d'exploit) · → /services/config.yml	Élevée	Moyen · 61
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /services/config.yml UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /services/config.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /services/config.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 61 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /services/config.yml HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.80 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /services/config.yml HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /services/config.yml HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.80 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "yml", "http_ua_hash": "005dc6c64675afe4d0756f5ef9693c492dd93986", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "2d88915b17a3e9417f411d093261d57afedac11a", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 243, "payload_entropy": 5.447053592780894, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.2, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 61, "tag_count": 4, "anomaly_count": 0, "campaign_key": "eaf6f0840ff9fe0b228515b857cf6831e68d7119", "event_fingerprint": "30cbc6d69383ae55f450eafd4ed8e44c887fe0a0", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 61, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "7d393d2b1feb8211a624fdda2914ef9e", "payload_hash": "e9b0ea20e9fc8ce15cefcc15d159737b", "path_pattern_hash": "c77847d5436776141786847bba665ee6" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 61 }, "payload_preview": "GET \/services\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "method": "GET", "path": "\/services\/config.yml", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.80 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/services\/config.yml HTTP\/1.1", "request_sample": "GET \/services\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.80 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/services\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/services\/config.yml", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.80 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/services\/config.yml HTTP\/1.1", "request_sample": "GET \/services\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.80 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/services\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "cb834e5ae6d1882d485628af9f93b3cdffd4e37e", "protocol_details": { "http_method": "GET", "http_path": "\/services\/config.yml", "request_line": "GET \/services\/config.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.80 Safari\/537.36", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/services\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/services\/config.yml", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 61, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 61, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/services\/config.yml", "request_line": "GET \/services\/config.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.80 Safari\/537.36", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/services\/config.yml", "evidence_snippet": "GET \/services\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:42 UTC	TCP	8220 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8220 · (tentative d'exploit) · → /bootstrap/cache/config.php	Élevée	Moyen · 60
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /bootstrap/cache/config.php UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_sensitive_path Cible HTTP GET /bootstrap/cache/config.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /bootstrap/cache/config.php Service HTTP Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 60 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Generic config.php Ligne de requête `GET /bootstrap/cache/config.php HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1 Safari/605.1.15 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /bootstrap/cache/config.php HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) App Requête brute (extrait) GET /bootstrap/cache/config.php HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1 Safari/605.1.15 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: cl Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "php", "http_ua_hash": "9ad2b047ce8ce8c3335a6ac3c84c7f6211906d34", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "bac3b02f1ce936e593505ba9114b968f810c00c8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 263, "payload_entropy": 5.328889122256366, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 84, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 60, "tag_count": 5, "anomaly_count": 0, "campaign_key": "4a2895560ff2351445c67cf08dcc35a7389a704a", "event_fingerprint": "312126fc1de83e8f982c08362c0fc320fceac325", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0118" ], "matched_pattern_names": [ "LFI Generic config.php" ], "pattern_ids": [ "pat-0118" ], "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 60, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e33a6b4a0a723894205bf67b7d7cd800", "payload_hash": "582eb23ad3f49e842cc1c79e45461c53", "path_pattern_hash": "9823c90115688ca8a60aa1cefb3b4c36" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 60 }, "payload_preview": "GET \/bootstrap\/cache\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) App", "method": "GET", "path": "\/bootstrap\/cache\/config.php", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.1 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/bootstrap\/cache\/config.php HTTP\/1.1", "request_sample": "GET \/bootstrap\/cache\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.1 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl", "payload_snippet": "GET \/bootstrap\/cache\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) App", "evidence": { "method": "GET", "path": "\/bootstrap\/cache\/config.php", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.1 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/bootstrap\/cache\/config.php HTTP\/1.1", "request_sample": "GET \/bootstrap\/cache\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.1 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl", "payload_snippet": "GET \/bootstrap\/cache\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) App", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bc0675737bb811577d5303e59fab17b11e102409", "protocol_details": { "http_method": "GET", "http_path": "\/bootstrap\/cache\/config.php", "request_line": "GET \/bootstrap\/cache\/config.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.1 Safari\/605.1.15", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/bootstrap\/cache\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) App", "attack_vector": "config file probe \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/bootstrap\/cache\/config.php", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 60, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 60, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/bootstrap\/cache\/config.php", "request_line": "GET \/bootstrap\/cache\/config.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.1 Safari\/605.1.15", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/bootstrap\/cache\/config.php", "evidence_snippet": "GET \/bootstrap\/cache\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) App", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:42 UTC	TCP	8220 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8220 · (tentative d'exploit) · → /config/config.php	Élevée	Moyen · 61
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /config/config.php UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/config.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /config/config.php Service HTTP Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 61 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Generic config.php Ligne de requête `GET /config/config.php HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3880.4 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/config.php HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/ Requête brute (extrait) GET /config/config.php HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3880.4 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "b746ffea81a2fa3b537e36b4ade1aba43f04765f", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "b8ef185fa629a44e5f886526b7a4543e57899abc", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 256, "payload_entropy": 5.398067434283428, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 84, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.9, "risk_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 61, "tag_count": 6, "anomaly_count": 0, "campaign_key": "811c2d02c1e6217f10261892bc7356c0a989b77f", "event_fingerprint": "e40a56c4368feef7faca150806b3057fc8ab4753", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0118" ], "matched_pattern_names": [ "LFI Generic config.php" ], "pattern_ids": [ "pat-0118" ], "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 61, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "bb9f65bd8af7a3b91ac0ca15df58e880", "payload_hash": "de43a0463945c45f0a142278719b7471", "path_pattern_hash": "72260f34617018282328c71c36115b23" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 61 }, "payload_preview": "GET \/config\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/", "method": "GET", "path": "\/config\/config.php", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.4 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/config.php HTTP\/1.1", "request_sample": "GET \/config\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.4 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/", "evidence": { "method": "GET", "path": "\/config\/config.php", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.4 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/config.php HTTP\/1.1", "request_sample": "GET \/config\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.4 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9365e327aebfb441ce28ef179bf0c493a6b1ceda", "protocol_details": { "http_method": "GET", "http_path": "\/config\/config.php", "request_line": "GET \/config\/config.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.4 Safari\/537.36", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/", "attack_vector": "config file probe \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/config.php", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 61, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 61, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/config.php", "request_line": "GET \/config\/config.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.4 Safari\/537.36", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/config.php", "evidence_snippet": "GET \/config\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:42 UTC	TCP	8220 · HTTP	http	Flood / DDoS http flood · via HTTP:8220 · (tentative d'exploit) · → /app/config/parameters.yml	Élevée	Moyen · 53
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /app/config/parameters.yml UA Mozilla/4.0 (Windows; U; MSIE 7.0; Windows NT 6.0; .NET CLR 1.0… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 net_flood Cible HTTP GET /app/config/parameters.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /app/config/parameters.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 53 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/config/parameters.yml HTTP/1.1` User-Agent Mozilla/4.0 (Windows; U; MSIE 7.0; Windows NT 6.0; .NET CLR 1.0.40727; Media Center PC 4.0; InfoPath.1; en-NZ) Règles WAF rce-0 nosqli-3 Payload (extrait) GET /app/config/parameters.yml HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/4.0 (Windows; U; MSIE 7.0; Windows NT 6.0; . Requête brute (extrait) GET /app/config/parameters.yml HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/4.0 (Windows; U; MSIE 7.0; Windows NT 6.0; .NET CLR 1.0.40727; Media Center PC 4.0; InfoPath.1; en-NZ) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "yml", "http_ua_hash": "7ce2727e5acb7ee708c158ce04cd3d52ecac1e2b", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "cc8382c07ae1d99dcd8bb8a9e6a6c1ada2d7d586", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 255, "payload_entropy": 5.3469975771037905, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 53, "tag_count": 3, "anomaly_count": 0, "campaign_key": "16be72d80b49a0b8e7da276c667afab01b502a7e", "event_fingerprint": "73d0065b0b8e46351eef8e73301446a2b7188409", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 53, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "660bb921fceac983933f723b420e8c0e", "payload_hash": "1f803dbc1537684ec6b564e1e641b0c6", "path_pattern_hash": "14e465936c1b9cf9455ba711f44752e2" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 53 }, "payload_preview": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/4.0 (Windows; U; MSIE 7.0; Windows NT 6.0; .", "method": "GET", "path": "\/app\/config\/parameters.yml", "user_agent": "Mozilla\/4.0 (Windows; U; MSIE 7.0; Windows NT 6.0; .NET CLR 1.0.40727; Media Center PC 4.0; InfoPath.1; en-NZ)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app\/config\/parameters.yml HTTP\/1.1", "request_sample": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/4.0 (Windows; U; MSIE 7.0; Windows NT 6.0; .NET CLR 1.0.40727; Media Center PC 4.0; InfoPath.1; en-NZ)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/4.0 (Windows; U; MSIE 7.0; Windows NT 6.0; .", "evidence": { "method": "GET", "path": "\/app\/config\/parameters.yml", "user_agent": "Mozilla\/4.0 (Windows; U; MSIE 7.0; Windows NT 6.0; .NET CLR 1.0.40727; Media Center PC 4.0; InfoPath.1; en-NZ)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app\/config\/parameters.yml HTTP\/1.1", "request_sample": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/4.0 (Windows; U; MSIE 7.0; Windows NT 6.0; .NET CLR 1.0.40727; Media Center PC 4.0; InfoPath.1; en-NZ)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/4.0 (Windows; U; MSIE 7.0; Windows NT 6.0; .", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "58c775f6f1430830750f33ce927deb0d01af6c3c", "protocol_details": { "http_method": "GET", "http_path": "\/app\/config\/parameters.yml", "request_line": "GET \/app\/config\/parameters.yml HTTP\/1.1", "http_user_agent": "Mozilla\/4.0 (Windows; U; MSIE 7.0; Windows NT 6.0; .NET CLR 1.0.40727; Media Center PC 4.0; InfoPath.1; en-NZ)", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/4.0 (Windows; U; MSIE 7.0; Windows NT 6.0; .", "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/config\/parameters.yml", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 53, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 53, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/app\/config\/parameters.yml", "request_line": "GET \/app\/config\/parameters.yml HTTP\/1.1", "http_user_agent": "Mozilla\/4.0 (Windows; U; MSIE 7.0; Windows NT 6.0; .NET CLR 1.0.40727; Media Center PC 4.0; InfoPath.1; en-NZ)", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/config\/parameters.yml", "evidence_snippet": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/4.0 (Windows; U; MSIE 7.0; Windows NT 6.0; .", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:42 UTC	TCP	8220 · HTTP	http	Flood / DDoS http flood · via HTTP:8220 · (tentative d'exploit) · → /app.yml	Élevée	Moyen · 53
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /app.yml UA Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20100101 Firefox/6.0 Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /app.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /app.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 53 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app.yml HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20100101 Firefox/6.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /app.yml HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20100101 Firefox/6.0 Acce Requête brute (extrait) GET /app.yml HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20100101 Firefox/6.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "30f64055157dc1523c27299ce23be3c06ab177dd", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "597dea0ab924c152a2925645cc353ecd4a8eea78", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 191, "payload_entropy": 5.28380053495245, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 53, "tag_count": 3, "anomaly_count": 0, "campaign_key": "f39dd65a535047fd3b661597b27e5ec3d606ffba", "event_fingerprint": "70d2ddd75773d5b2342cd0d66674d6fa65681437", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 53, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1321ad0a029ffe243cfb2e0f8f41e310", "payload_hash": "0ac0007e97640a4e2e82d77a5f421dbe", "path_pattern_hash": "62ed182b1af6b760118a2c86d5130318" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 53 }, "payload_preview": "GET \/app.yml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:6.0) Gecko\/20100101 Firefox\/6.0\r\nAcce", "method": "GET", "path": "\/app.yml", "user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:6.0) Gecko\/20100101 Firefox\/6.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app.yml HTTP\/1.1", "request_sample": "GET \/app.yml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:6.0) Gecko\/20100101 Firefox\/6.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app.yml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:6.0) Gecko\/20100101 Firefox\/6.0\r\nAcce", "evidence": { "method": "GET", "path": "\/app.yml", "user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:6.0) Gecko\/20100101 Firefox\/6.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app.yml HTTP\/1.1", "request_sample": "GET \/app.yml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:6.0) Gecko\/20100101 Firefox\/6.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app.yml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:6.0) Gecko\/20100101 Firefox\/6.0\r\nAcce", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bdfba8d638e99acaa3be036923678b9b2363a3d4", "protocol_details": { "http_method": "GET", "http_path": "\/app.yml", "request_line": "GET \/app.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:6.0) Gecko\/20100101 Firefox\/6.0", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app.yml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:6.0) Gecko\/20100101 Firefox\/6.0\r\nAcce", "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app.yml", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 53, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 53, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/app.yml", "request_line": "GET \/app.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:6.0) Gecko\/20100101 Firefox\/6.0", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app.yml", "evidence_snippet": "GET \/app.yml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:6.0) Gecko\/20100101 Firefox\/6.0\r\nAcce", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 11:54:42 UTC	TCP	8220 · HTTP	http	Flood / DDoS http flood · via HTTP:8220 · (tentative d'exploit) · → /application.yaml	Élevée	Moyen · 53
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /application.yaml UA Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko/2012… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /application.yaml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8220 Chemin / cible /application.yaml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 53 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /application.yaml HTTP/1.1` User-Agent Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko/20120421 Gecko Firefox/11.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /application.yaml HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko/20 Requête brute (extrait) GET /application.yaml HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko/20120421 Gecko Firefox/11.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yaml", "http_ua_hash": "86b9f9c31a43f4a5468b8c97fa626c3b4940f1ea", "http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981", "http_target_hash": "1191e273c1826d3cef67d2c70d425072ebc43c59", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 222, "payload_entropy": 5.307341962107787, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8220, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 53, "tag_count": 3, "anomaly_count": 0, "campaign_key": "5f5c1ee38949e36d757038bbc65579e72b4ee774", "event_fingerprint": "0e39a373687c6f8736038372327ba8822b24ce2c", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 53, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "4c8ae1851f8d56d6e0ad6b37f9a65183", "payload_hash": "178b28987bd054a30193b01101341845", "path_pattern_hash": "cef87ee8c99d38579e29ea993d58f554" }, "target_context": { "dst_port": 8220, "service": "http", "service_name": "http", "risk_score": 53 }, "payload_preview": "GET \/application.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko\/20", "method": "GET", "path": "\/application.yaml", "user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko\/20120421 Gecko Firefox\/11.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/application.yaml HTTP\/1.1", "request_sample": "GET \/application.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko\/20120421 Gecko Firefox\/11.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/application.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko\/20", "evidence": { "method": "GET", "path": "\/application.yaml", "user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko\/20120421 Gecko Firefox\/11.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/application.yaml HTTP\/1.1", "request_sample": "GET \/application.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko\/20120421 Gecko Firefox\/11.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/application.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko\/20", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c47798a63ee5fa23ba900fa16189b7e6ef852ac5", "protocol_details": { "http_method": "GET", "http_path": "\/application.yaml", "request_line": "GET \/application.yaml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko\/20120421 Gecko Firefox\/11.0", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/application.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko\/20", "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/application.yaml", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 53, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 53, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8220, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/application.yaml", "request_line": "GET \/application.yaml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko\/20120421 Gecko Firefox\/11.0", "port": 8220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8220 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/application.yaml", "evidence_snippet": "GET \/application.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko\/20", "target_port_label": "8220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }

34.128.115.255

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence