Détails IP 34.140.113.180

Synthèse exécutive

Profil de menace

Score de risque 70/100 Élevé

Première observation 15/06/2026 22:23 UTC

Dernière observation 15/06/2026 22:23 UTC

Événements (période) 60

MITRE ATT&CK principal TA0007 30 occurrences

Activité suspecte — risque 66/100 (Élevé) — MITRE T1083 — confiance 100 % — via HTTP — multi-protocole (2 protocoles · 5 min)

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « nosqli-3 » · Sonde fichier sensible / config · confiance 100%

Confiance 100 % — Score WAF 88 · Bonus corrélation +8 · 3 tag(s) WAF

Comparaison ASN / FAI

ASN 396982 · 34.140.112.0/20 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 60 événements sur la période pour cette IP.

147.185.132.52 Sonde port 16/06/2026 18:42 UTC
35.203.211.98 Scanner web 16/06/2026 18:41 UTC
205.210.31.19 Scanner web 16/06/2026 18:41 UTC
147.185.133.140 Scanner web 16/06/2026 18:41 UTC
205.210.31.107 Sonde PostgreSQL 16/06/2026 18:37 UTC
162.216.150.108 Scanner web 16/06/2026 18:34 UTC
198.235.24.44 Sonde port 16/06/2026 18:33 UTC
147.185.132.94 Sonde port 16/06/2026 18:32 UTC

Événements (filtres)

Première observation

15/06/2026 22:23 UTC

Dernière observation

15/06/2026 22:23 UTC

Dernière activité (filtres)

15/06/2026 22:23 UTC

Événements 7j

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 30 WEBLOGIC TCP 30

HTTP

WEBLOGIC

Géolocalisation

Origine réseau déclarée

Belgique unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Google LLC 0 Port 7001 weblogic_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Tentative d'exploit

Chaîne d'attaque

Exploitation

Vecteur d'attaque

config file probe · via HTTP:7001 · (tentative d'exploit) · → /project/.git/config

Détails protocole

Méthode: GET
Chemin: /project/.git/config
User-Agent: MOT-V177/0.1.75 UP.Browser/6.2.3.9.c.12 (GUI) MMP/2.0 UP.Link/6.3.1.13.0

Aperçu payload

GET /project/.git/config HTTP/1.1 Host: 62.3.50.33:7001 User-Agent: MOT-V177/0.1.75 UP.Browser/6.2.3.9.c.12 (GUI) MMP/2.0 UP.L

Port / service

7001 · HTTP

Service émulé

HTTP

Raison confiance

Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF

Technique MITRE

T1083

Persona capteur

mail.sensor-1.internal

Corrélations comportementales

Multi-protocole corrélé (5 min)

Recommandation

Investiguer

Rôle capteur

Renseignement menaces

Signaux de précision

SIGMA-web-config-leak Http Sensitive Upstream Waf Score

Confiance

100% Corrélation +8

Famille de menace

path_traversal config_leak_scan

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

60 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

60 événement(s) — page 2/2

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
15/06/2026 22:23:17 UTC	TCP	7001 · WEBLOGIC	weblogic	weblogic probe weblogic probe · via WEBLOGIC:7001 · (sonde / probe)	Élevée	Faible · 33
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur WEBLOGIC WAF — Recommandation Surveiller Tags net_weblogic_probe tls_clienthello weblogic_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7001 Chemin / cible — Service WEBLOGIC Payload ��i�w��%u8_��G��S�lg�$�]d �B�=v~>jV0�Q��LMۖ�ҊFQ��$��&99&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « weblogic_probe » (signaux protocolaires) · confiance 77% Confiance classification 77% Risque capteur Faible · 33 Confiance : Confiance 77 % — 3 signal(aux) capteur Protocole émulé 1 Signaux Weblogic Console Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��i�w��%u8_��G��S�lg�$�]d �B�=v~>jV0�Q��LMۖ�ҊFQ��$��&99&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��i�w��%u8_��G��S�lg�$�]d �B�=v~>jV0�Q��LMۖ�ҊFQ��$��&99&�+�/�,�0̨̩� �� /5� w �+3&$ �M ��6�(�Oy�2��'푻4�k��1D Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765624c6f676963205365727665722031342e312e312e300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2037390d0a0d0a3c68746d6c3e3c7469746c653e5765624c6f676963205365727665722043", "emulator_response_len": 177, "bytes_in": 239, "payload_entropy": 5.901842625688424, "port_category": "registered", "org": "Google LLC", "service": "weblogic", "app_proto": "weblogic", "asn": 396982, "country": "BE", "dst_port": 7001, "risk_waf": 8, "risk_classification": 58, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 33, "tag_count": 3, "anomaly_count": 0, "campaign_key": "a513a8b6579875aee9e6cefbe17ae13f4cd756cc", "event_fingerprint": "4ea7ffe7bc9ade2843b5e81016a496bfea35cfd6", "classification_reason": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%", "confidence": 0.77, "classification_confidence": 0.77, "precision_score": 87, "precision_signals": [ "INT-weblogic_console", "INT-upstream" ], "kb_rule_ids": [ "INT-weblogic_console", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 33 }, "named_classification_skipped": false, "service_name": "weblogic", "risk_confidence_factor": 77, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3bcbdeebf71901c27a971d50383fe7da", "path_pattern_hash": "a179ef516d6662010534ca5ee85ea8d3", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 7001, "service": "weblogic", "service_name": "weblogic", "risk_score": 33 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdi\ufffdw\u0001\ufffd\ufffd%u8_\ufffd\ufffd\ufffd\ufffd\ufffdG\ufffd\ufffd\ufffdS\ufffdlg\ufffd\u0002\u001f$\ufffd]\u0004d \ufffdB\ufffd=v~>jV0\ufffdQ\ufffd\ufffdLM\u06d6\ufffd\u048aFQ\u001b\ufffd\ufffd$\ufffd\ufffd&99\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdi\ufffdw\u0001\ufffd\ufffd%u8_\ufffd\ufffd\ufffd\ufffd\ufffdG\ufffd\ufffd\ufffdS\ufffdlg\ufffd\u0002\u001f$\ufffd]\u0004d \ufffdB\ufffd=v~>jV0\ufffdQ\ufffd\ufffdLM\u06d6\ufffd\u048aFQ\u001b\ufffd\ufffd$\ufffd\ufffd&99\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdM\t\ufffd\u0011\ufffd\ufffd\ufffd\u001c6\ufffd\u0000(\ufffdOy\ufffd2\ufffd\ufffd'\ud47b4\ufffdk\ufffd\u0006\ufffd1D", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdi\ufffdw\u0001\ufffd\ufffd%u8_\ufffd\ufffd\ufffd\ufffd\ufffdG\ufffd\ufffd\ufffdS\ufffdlg\ufffd\u0002\u001f$\ufffd]\u0004d \ufffdB\ufffd=v~>jV0\ufffdQ\ufffd\ufffdLM\u06d6\ufffd\u048aFQ\u001b\ufffd\ufffd$\ufffd\ufffd&99\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "enterprise_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "afecc47f31b98a76c8e0612672a42571e08c5287", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdi\ufffdw\u0001\ufffd\ufffd%u8_\ufffd\ufffd\ufffd\ufffd\ufffdG\ufffd\ufffd\ufffdS\ufffdlg\ufffd\u0002\u001f$\ufffd]\u0004d \ufffdB\ufffd=v~>jV0\ufffdQ\ufffd\ufffdLM\u06d6\ufffd\u048aFQ\u001b\ufffd\ufffd$\ufffd\ufffd&99\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7001, "service": "weblogic", "service_label_fr": "WEBLOGIC" }, "evidence_snippet": "\ufffd\ufffd\ufffdi\ufffdw\ufffd\ufffd%u8_\ufffd\ufffd\ufffd\ufffd\ufffdG\ufffd\ufffd\ufffdS\ufffdlg\ufffd$\ufffd]d \ufffdB\ufffd=v~>jV0\ufffdQ\ufffd\ufffdLM\u06d6\ufffd\u048aFQ\ufffd\ufffd$\ufffd\ufffd&99&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "weblogic probe \u00b7 via WEBLOGIC:7001 \u00b7 (sonde \/ probe)", "target_port_label": "7001 \u00b7 WEBLOGIC", "emulator_service": "weblogic", "confidence_reason": "Confiance 77 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%", "classification_reason_label_fr": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 33\/100", "confidence_pct": 77, "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 33 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 33, "risk_label": "Faible", "service_name": "weblogic", "service_label_fr": "WEBLOGIC", "dst_port": 7001, "protocol_emulated": true, "tags_summary": [ "INT-weblogic_console", "INT-upstream" ], "tags_summary_labels_fr": [ "Weblogic Console", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-weblogic", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdi\ufffdw\u0001\ufffd\ufffd%u8_\ufffd\ufffd\ufffd\ufffd\ufffdG\ufffd\ufffd\ufffdS\ufffdlg\ufffd\u0002\u001f$\ufffd]\u0004d \ufffdB\ufffd=v~>jV0\ufffdQ\ufffd\ufffdLM\u06d6\ufffd\u048aFQ\u001b\ufffd\ufffd$\ufffd\ufffd&99\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7001, "service": "weblogic", "service_label_fr": "WEBLOGIC" }, "attack_vector": "weblogic probe \u00b7 via WEBLOGIC:7001 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffdi\ufffdw\ufffd\ufffd%u8_\ufffd\ufffd\ufffd\ufffd\ufffdG\ufffd\ufffd\ufffdS\ufffdlg\ufffd$\ufffd]d \ufffdB\ufffd=v~>jV0\ufffdQ\ufffd\ufffdLM\u06d6\ufffd\u048aFQ\ufffd\ufffd$\ufffd\ufffd&99&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "7001 \u00b7 WEBLOGIC", "emulator_service": "weblogic", "confidence_reason": "Confiance 77 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 77 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "weblogic", "service_banner": "honeypot-weblogic", "service_os": "linux", "dst_port": "7001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_weblogic_probe", "tls_clienthello", "weblogic_emulated" ], "asn_dc_heuristic": true }
15/06/2026 22:23:17 UTC	TCP	7001 · WEBLOGIC	weblogic	weblogic probe weblogic probe · via WEBLOGIC:7001 · (sonde / probe)	Élevée	Faible · 33
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur WEBLOGIC WAF — Recommandation Surveiller Tags net_weblogic_probe tls_clienthello weblogic_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7001 Chemin / cible — Service WEBLOGIC Payload ��q�c��ˮ3�P� \��5� ʹ �7w��ǻ�ԀM �pL�k�� Q7�1aE�3&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification :* Type « weblogic_probe » (signaux protocolaires) · confiance 77% Confiance classification 77% Risque capteur Faible · 33 Confiance : Confiance 77 % — 3 signal(aux) capteur Protocole émulé 1 Signaux Weblogic Console Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��q�c��ˮ3�P� \��5�ʹ �7w��ǻ�ԀM �pL�k��Q7�1aE�3&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��q�c��ˮ3�P� \��5� ʹ �7w��ǻ�ԀM �pL�k�� Q7�1aE�3&�+�/�,�0̨̩� �� /5� w �+3&$ ~�f��psf(Ҿ��-9�� Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765624c6f676963205365727665722031342e312e312e300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2037390d0a0d0a3c68746d6c3e3c7469746c653e5765624c6f676963205365727665722043", "emulator_response_len": 177, "bytes_in": 239, "payload_entropy": 5.782383753974942, "port_category": "registered", "org": "Google LLC", "service": "weblogic", "app_proto": "weblogic", "asn": 396982, "country": "BE", "dst_port": 7001, "risk_waf": 8, "risk_classification": 58, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 33, "tag_count": 3, "anomaly_count": 0, "campaign_key": "a513a8b6579875aee9e6cefbe17ae13f4cd756cc", "event_fingerprint": "4ea7ffe7bc9ade2843b5e81016a496bfea35cfd6", "classification_reason": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%", "confidence": 0.77, "classification_confidence": 0.77, "precision_score": 87, "precision_signals": [ "INT-weblogic_console", "INT-upstream" ], "kb_rule_ids": [ "INT-weblogic_console", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 33 }, "named_classification_skipped": false, "service_name": "weblogic", "risk_confidence_factor": 77, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "e41d42a688b592a0f63800d80c66ceee", "path_pattern_hash": "a179ef516d6662010534ca5ee85ea8d3", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 7001, "service": "weblogic", "service_name": "weblogic", "risk_score": 33 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003q\u0005\u0003\ufffdc\ufffd\ufffd\ufffd\u02ee3\ufffdP\ufffd\t\u0012\\\ufffd\ufffd\ufffd\ufffd\ufffd5\ufffd\u0013\f\u02b9\u0000\u001a \ufffd7w\ufffd\ufffd\ufffd\u01fb\ufffd\u0500M \ufffdpL\ufffdk\ufffd\ufffd\u0013\ufffd\fQ7\ufffd\b1aE\ufffd3\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003q\u0005\u0003\ufffdc\ufffd\ufffd\ufffd\u02ee3\ufffdP\ufffd\t\u0012\\\ufffd\ufffd\ufffd\ufffd\ufffd5\ufffd\u0013\f\u02b9\u0000\u001a \ufffd7w\ufffd\ufffd\ufffd\u01fb\ufffd\u0500M \ufffdpL\ufffdk\ufffd\ufffd\u0013\ufffd\fQ7\ufffd\b1aE\ufffd3\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u001b\u001f~\ufffdf\ufffd\ufffdp\u0016s\u001f\u0016\u0002f(\u04be\ufffd\u0007\ufffd\ufffd\u001c\ufffd\u0015\ufffd-9\ufffd\ufffd\ufffd\f", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003q\u0005\u0003\ufffdc\ufffd\ufffd\ufffd\u02ee3\ufffdP\ufffd\t\u0012\\\ufffd\ufffd\ufffd\ufffd\ufffd5\ufffd\u0013\f\u02b9\u0000\u001a \ufffd7w\ufffd\ufffd\ufffd\u01fb\ufffd\u0500M \ufffdpL\ufffdk\ufffd\ufffd\u0013\ufffd\fQ7\ufffd\b1aE\ufffd3\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "enterprise_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4105bd8415e89f861e23b70c20c52f0ef77869de", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003q\u0005\u0003\ufffdc\ufffd\ufffd\ufffd\u02ee3\ufffdP\ufffd\t\u0012\\\ufffd\ufffd\ufffd\ufffd\ufffd5\ufffd\u0013\f\u02b9\u0000\u001a \ufffd7w\ufffd\ufffd\ufffd\u01fb\ufffd\u0500M \ufffdpL\ufffdk\ufffd\ufffd\u0013\ufffd\fQ7\ufffd\b1aE\ufffd3\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7001, "service": "weblogic", "service_label_fr": "WEBLOGIC" }, "evidence_snippet": "\ufffd\ufffdq\ufffdc\ufffd\ufffd\ufffd\u02ee3\ufffdP\ufffd\t\\\ufffd\ufffd\ufffd\ufffd\ufffd5\ufffd\u02b9 \ufffd7w\ufffd\ufffd\ufffd\u01fb\ufffd\u0500M \ufffdpL\ufffdk\ufffd\ufffd\ufffdQ7\ufffd1aE\ufffd3&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "weblogic probe \u00b7 via WEBLOGIC:7001 \u00b7 (sonde \/ probe)", "target_port_label": "7001 \u00b7 WEBLOGIC", "emulator_service": "weblogic", "confidence_reason": "Confiance 77 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%", "classification_reason_label_fr": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 33\/100", "confidence_pct": 77, "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 33 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 33, "risk_label": "Faible", "service_name": "weblogic", "service_label_fr": "WEBLOGIC", "dst_port": 7001, "protocol_emulated": true, "tags_summary": [ "INT-weblogic_console", "INT-upstream" ], "tags_summary_labels_fr": [ "Weblogic Console", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-weblogic", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003q\u0005\u0003\ufffdc\ufffd\ufffd\ufffd\u02ee3\ufffdP\ufffd\t\u0012\\\ufffd\ufffd\ufffd\ufffd\ufffd5\ufffd\u0013\f\u02b9\u0000\u001a \ufffd7w\ufffd\ufffd\ufffd\u01fb\ufffd\u0500M \ufffdpL\ufffdk\ufffd\ufffd\u0013\ufffd\fQ7\ufffd\b1aE\ufffd3\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7001, "service": "weblogic", "service_label_fr": "WEBLOGIC" }, "attack_vector": "weblogic probe \u00b7 via WEBLOGIC:7001 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdq\ufffdc\ufffd\ufffd\ufffd*\u02ee3\ufffdP\ufffd\t\\\ufffd\ufffd\ufffd\ufffd\ufffd5\ufffd\u02b9 \ufffd7w\ufffd\ufffd\ufffd\u01fb\ufffd\u0500M \ufffdpL\ufffdk\ufffd\ufffd\ufffdQ7\ufffd1aE\ufffd3&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "7001 \u00b7 WEBLOGIC", "emulator_service": "weblogic", "confidence_reason": "Confiance 77 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 77 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "weblogic", "service_banner": "honeypot-weblogic", "service_os": "linux", "dst_port": "7001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_weblogic_probe", "tls_clienthello", "weblogic_emulated" ], "asn_dc_heuristic": true }
15/06/2026 22:23:17 UTC	TCP	7001 · WEBLOGIC	weblogic	weblogic probe weblogic probe · via WEBLOGIC:7001 · (sonde / probe)	Élevée	Faible · 33
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur WEBLOGIC WAF — Recommandation Surveiller Tags net_weblogic_probe tls_clienthello weblogic_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7001 Chemin / cible — Service WEBLOGIC Payload ��ƾ�2'��y�=!+^vI�թ��`У+ F�}v�B5��'#��6�OXQ�^K�XS��h&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification :* Type « weblogic_probe » (signaux protocolaires) · confiance 77% Confiance classification 77% Risque capteur Faible · 33 Confiance : Confiance 77 % — 3 signal(aux) capteur Protocole émulé 1 Signaux Weblogic Console Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��ƾ�2'��y�=!+^vI�թ��`У+ F�}v�B5��'#��6�OXQ�^K�XS��h&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��ƾ�2'��y�=!+^vI�թ��`У+ F�}v�B5��'#��6�OXQ�^K�XS��h&�+�/�,�0̨̩� �� /5� w �+3&$ �K��+�a��r��cpy��#�1 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765624c6f676963205365727665722031342e312e312e300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2037390d0a0d0a3c68746d6c3e3c7469746c653e5765624c6f676963205365727665722043", "emulator_response_len": 177, "bytes_in": 239, "payload_entropy": 5.843757537181078, "port_category": "registered", "org": "Google LLC", "service": "weblogic", "app_proto": "weblogic", "asn": 396982, "country": "BE", "dst_port": 7001, "risk_waf": 8, "risk_classification": 58, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 33, "tag_count": 3, "anomaly_count": 0, "campaign_key": "a513a8b6579875aee9e6cefbe17ae13f4cd756cc", "event_fingerprint": "4ea7ffe7bc9ade2843b5e81016a496bfea35cfd6", "classification_reason": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%", "confidence": 0.77, "classification_confidence": 0.77, "precision_score": 87, "precision_signals": [ "INT-weblogic_console", "INT-upstream" ], "kb_rule_ids": [ "INT-weblogic_console", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 33 }, "named_classification_skipped": false, "service_name": "weblogic", "risk_confidence_factor": 77, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "195fb7e4c9eae432d63ad4f7ff09e35d", "path_pattern_hash": "a179ef516d6662010534ca5ee85ea8d3", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 7001, "service": "weblogic", "service_name": "weblogic", "risk_score": 33 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u01be\ufffd2\u001a\u0016'\ufffd\ufffd\ufffdy\ufffd=!+^\u0014\u0017vI\ufffd\u0569\ufffd\u0003\ufffd`\u0006\u0423+ F\ufffd}v\ufffdB5\ufffd\u009c\ufffd'#\ufffd\ufffd6\ufffd\u000eOXQ\ufffd^K\ufffdXS\ufffd\ufffd\ufffdh\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u01be\ufffd2\u001a\u0016'\ufffd\ufffd\ufffdy\ufffd=!+^\u0014\u0017vI\ufffd\u0569\ufffd\u0003\ufffd`\u0006\u0423+ F\ufffd}v\ufffdB5\ufffd\u009c\ufffd'#\ufffd\ufffd6\ufffd\u000eOXQ\ufffd^K\ufffdXS\ufffd\ufffd\ufffdh\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdK\ufffd\ufffd\ufffd\ufffd\u0014\ufffd+\ufffda\u0019\ufffd\ufffdr\ufffd\u001c\ufffdcp\u0010y\ufffd\ufffd\ufffd\ufffd#\u0017\ufffd1", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u01be\ufffd2\u001a\u0016'\ufffd\ufffd\ufffdy\ufffd=!+^\u0014\u0017vI\ufffd\u0569\ufffd\u0003\ufffd`\u0006\u0423+ F\ufffd}v\ufffdB5\ufffd\u009c\ufffd'#\ufffd\ufffd6\ufffd\u000eOXQ\ufffd^K\ufffdXS\ufffd\ufffd\ufffdh\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "enterprise_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "452e3c2ca0468f9ec340d6aa8c1804138b6b9704", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u01be\ufffd2\u001a\u0016'\ufffd\ufffd\ufffdy\ufffd=!+^\u0014\u0017vI\ufffd\u0569\ufffd\u0003\ufffd`\u0006\u0423+ F\ufffd}v\ufffdB5\ufffd\u009c\ufffd'#\ufffd\ufffd6\ufffd\u000eOXQ\ufffd^K\ufffdXS\ufffd\ufffd\ufffdh\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7001, "service": "weblogic", "service_label_fr": "WEBLOGIC" }, "evidence_snippet": "\ufffd\ufffd\u01be\ufffd2'\ufffd\ufffd\ufffdy\ufffd=!+^vI\ufffd\u0569\ufffd\ufffd`\u0423+ F\ufffd}v\ufffdB5\ufffd\u009c\ufffd'#\ufffd\ufffd6\ufffdOXQ\ufffd^K\ufffdXS\ufffd\ufffd\ufffdh&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "weblogic probe \u00b7 via WEBLOGIC:7001 \u00b7 (sonde \/ probe)", "target_port_label": "7001 \u00b7 WEBLOGIC", "emulator_service": "weblogic", "confidence_reason": "Confiance 77 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%", "classification_reason_label_fr": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 33\/100", "confidence_pct": 77, "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 33 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 33, "risk_label": "Faible", "service_name": "weblogic", "service_label_fr": "WEBLOGIC", "dst_port": 7001, "protocol_emulated": true, "tags_summary": [ "INT-weblogic_console", "INT-upstream" ], "tags_summary_labels_fr": [ "Weblogic Console", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-weblogic", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u01be\ufffd2\u001a\u0016'\ufffd\ufffd\ufffdy\ufffd=!+^\u0014\u0017vI\ufffd\u0569\ufffd\u0003\ufffd`\u0006\u0423+ F\ufffd}v\ufffdB5\ufffd\u009c\ufffd'#\ufffd\ufffd6\ufffd\u000eOXQ\ufffd^K\ufffdXS\ufffd\ufffd\ufffdh\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7001, "service": "weblogic", "service_label_fr": "WEBLOGIC" }, "attack_vector": "weblogic probe \u00b7 via WEBLOGIC:7001 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\u01be\ufffd2'\ufffd\ufffd\ufffdy\ufffd=!+^vI\ufffd\u0569\ufffd\ufffd`\u0423+ F\ufffd}v\ufffdB5\ufffd\u009c\ufffd'#\ufffd\ufffd6\ufffd*OXQ\ufffd^K\ufffdXS\ufffd\ufffd\ufffdh&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "7001 \u00b7 WEBLOGIC", "emulator_service": "weblogic", "confidence_reason": "Confiance 77 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 77 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "weblogic", "service_banner": "honeypot-weblogic", "service_os": "linux", "dst_port": "7001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_weblogic_probe", "tls_clienthello", "weblogic_emulated" ], "asn_dc_heuristic": true }
15/06/2026 22:23:17 UTC	TCP	7001 · WEBLOGIC	weblogic	weblogic probe weblogic probe · via WEBLOGIC:7001 · (sonde / probe)	Élevée	Faible · 33
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur WEBLOGIC WAF — Recommandation Surveiller Tags net_weblogic_probe tls_clienthello weblogic_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7001 Chemin / cible — Service WEBLOGIC Payload ��Ed/��9�y�(1&C�)ڏ2K�V&u=��F�]� zAa�'c��s�o~'��#�\|�B��9��7�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « weblogic_probe » (signaux protocolaires) · confiance 77% Confiance classification 77% Risque capteur Faible · 33 Confiance : Confiance 77 % — 3 signal(aux) capteur Protocole émulé 1 Signaux Weblogic Console Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��Ed/��9�y�(1&C�)ڏ2K�V&u=��F�]� zAa�'c��s�o~'��#�\|�B��9��7�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��Ed/��9�y�(1&C�)ڏ2K�V&u=��F�]� zAa�'c��s�o~'��#�\|�B��9��7�&�+�/�,�0̨̩� �� /5� w �+3&$ NP�DqN�_�d�� {�Wo�d���[ Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765624c6f676963205365727665722031342e312e312e300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2037390d0a0d0a3c68746d6c3e3c7469746c653e5765624c6f676963205365727665722043", "emulator_response_len": 177, "bytes_in": 239, "payload_entropy": 5.888067539129958, "port_category": "registered", "org": "Google LLC", "service": "weblogic", "app_proto": "weblogic", "asn": 396982, "country": "BE", "dst_port": 7001, "risk_waf": 8, "risk_classification": 58, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 33, "tag_count": 3, "anomaly_count": 0, "campaign_key": "a513a8b6579875aee9e6cefbe17ae13f4cd756cc", "event_fingerprint": "4ea7ffe7bc9ade2843b5e81016a496bfea35cfd6", "classification_reason": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%", "confidence": 0.77, "classification_confidence": 0.77, "precision_score": 87, "precision_signals": [ "INT-weblogic_console", "INT-upstream" ], "kb_rule_ids": [ "INT-weblogic_console", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 33 }, "named_classification_skipped": false, "service_name": "weblogic", "risk_confidence_factor": 77, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "fe935a778b86b8548749c599eddd73b2", "path_pattern_hash": "a179ef516d6662010534ca5ee85ea8d3", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 7001, "service": "weblogic", "service_name": "weblogic", "risk_score": 33 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdEd\/\ufffd\ufffd9\ufffdy\ufffd(1&C\ufffd)\u068f2K\ufffdV&\u0013u=\ufffd\ufffdF\ufffd]\ufffd z\u000fAa\u0003\ufffd'c\ufffd\ufffd\ufffds\ufffdo~'\ufffd\u0013\ufffd#\ufffd\u0019\|\ufffdB\ufffd\ufffd9\ufffd\ufffd7\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdEd\/\ufffd\ufffd9\ufffdy\ufffd(1&C\ufffd)\u068f2K\ufffdV&\u0013u=\ufffd\ufffdF\ufffd]\ufffd z\u000fAa\u0003\ufffd'c\ufffd\ufffd\ufffds\ufffdo~'\ufffd\u0013\ufffd#\ufffd\u0019\|\ufffdB\ufffd\ufffd9\ufffd\ufffd7\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 NP\ufffdDqN\ufffd_\u000f\ufffdd\ufffd\ufffd\u000b\ufffd\ufffd{\ufffdWo\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd[", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdEd\/\ufffd\ufffd9\ufffdy\ufffd(1&C\ufffd)\u068f2K\ufffdV&\u0013u=\ufffd\ufffdF\ufffd]\ufffd z\u000fAa\u0003\ufffd'c\ufffd\ufffd\ufffds\ufffdo~'\ufffd\u0013\ufffd#\ufffd\u0019\|\ufffdB\ufffd\ufffd9\ufffd\ufffd7\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "enterprise_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "719d7c9a8c6cee2f7fc15cbad98183fb489ef49f", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdEd\/\ufffd\ufffd9\ufffdy\ufffd(1&C\ufffd)\u068f2K\ufffdV&\u0013u=\ufffd\ufffdF\ufffd]\ufffd z\u000fAa\u0003\ufffd'c\ufffd\ufffd\ufffds\ufffdo~'\ufffd\u0013\ufffd#\ufffd\u0019\|\ufffdB\ufffd\ufffd9\ufffd\ufffd7\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7001, "service": "weblogic", "service_label_fr": "WEBLOGIC" }, "evidence_snippet": "\ufffd\ufffd\ufffdEd\/\ufffd\ufffd9\ufffdy\ufffd(1&C\ufffd)\u068f2K\ufffdV&u=\ufffd\ufffdF\ufffd]\ufffd zAa\ufffd'c\ufffd\ufffd\ufffds\ufffdo~'\ufffd\ufffd#\ufffd\|\ufffdB\ufffd\ufffd9\ufffd\ufffd7\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "weblogic probe \u00b7 via WEBLOGIC:7001 \u00b7 (sonde \/ probe)", "target_port_label": "7001 \u00b7 WEBLOGIC", "emulator_service": "weblogic", "confidence_reason": "Confiance 77 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%", "classification_reason_label_fr": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 33\/100", "confidence_pct": 77, "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 33 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 33, "risk_label": "Faible", "service_name": "weblogic", "service_label_fr": "WEBLOGIC", "dst_port": 7001, "protocol_emulated": true, "tags_summary": [ "INT-weblogic_console", "INT-upstream" ], "tags_summary_labels_fr": [ "Weblogic Console", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-weblogic", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdEd\/\ufffd\ufffd9\ufffdy\ufffd(1&C\ufffd)\u068f2K\ufffdV&\u0013u=\ufffd\ufffdF\ufffd]\ufffd z\u000fAa\u0003\ufffd'c\ufffd\ufffd\ufffds\ufffdo~'\ufffd\u0013\ufffd#\ufffd\u0019\|\ufffdB\ufffd\ufffd9\ufffd\ufffd7\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7001, "service": "weblogic", "service_label_fr": "WEBLOGIC" }, "attack_vector": "weblogic probe \u00b7 via WEBLOGIC:7001 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffdEd\/\ufffd\ufffd9\ufffdy\ufffd(1&C\ufffd)\u068f2K\ufffdV&u=\ufffd\ufffdF\ufffd]\ufffd zAa\ufffd'c\ufffd\ufffd\ufffds\ufffdo~'\ufffd\ufffd#\ufffd\|\ufffdB\ufffd\ufffd9\ufffd\ufffd7\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "7001 \u00b7 WEBLOGIC", "emulator_service": "weblogic", "confidence_reason": "Confiance 77 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 77 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "weblogic", "service_banner": "honeypot-weblogic", "service_os": "linux", "dst_port": "7001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_weblogic_probe", "tls_clienthello", "weblogic_emulated" ], "asn_dc_heuristic": true }
15/06/2026 22:23:17 UTC	TCP	7001 · WEBLOGIC	weblogic	weblogic probe weblogic probe · via WEBLOGIC:7001 · (sonde / probe)	Élevée	Faible · 33
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur WEBLOGIC WAF — Recommandation Surveiller Tags net_weblogic_probe tls_clienthello weblogic_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7001 Chemin / cible — Service WEBLOGIC Payload ��>!?N��6��`��H-��OK��w�U<�6� (�A��_1��Ӻ_/G�� rL��yI&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « weblogic_probe » (signaux protocolaires) · confiance 77% Confiance classification 77% Risque capteur Faible · 33 Confiance : Confiance 77 % — 3 signal(aux) capteur Protocole émulé 1 Signaux Weblogic Console Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��>!?N��6��`��H-��OK��w�U<�6� (�A��_1��Ӻ_/G�� rL��yI&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��>!?N��6��`��H-��OK��w�U<�6� (�A��_1��Ӻ_/G�� rL��yI&�+�/�,�0̨̩� �� /5� w �+3&$ Ү��V��1p��遮��=��d5 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765624c6f676963205365727665722031342e312e312e300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2037390d0a0d0a3c68746d6c3e3c7469746c653e5765624c6f676963205365727665722043", "emulator_response_len": 177, "bytes_in": 239, "payload_entropy": 5.870738210886964, "port_category": "registered", "org": "Google LLC", "service": "weblogic", "app_proto": "weblogic", "asn": 396982, "country": "BE", "dst_port": 7001, "risk_waf": 8, "risk_classification": 58, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 33, "tag_count": 3, "anomaly_count": 0, "campaign_key": "a513a8b6579875aee9e6cefbe17ae13f4cd756cc", "event_fingerprint": "4ea7ffe7bc9ade2843b5e81016a496bfea35cfd6", "classification_reason": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%", "confidence": 0.77, "classification_confidence": 0.77, "precision_score": 87, "precision_signals": [ "INT-weblogic_console", "INT-upstream" ], "kb_rule_ids": [ "INT-weblogic_console", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 33 }, "named_classification_skipped": false, "service_name": "weblogic", "risk_confidence_factor": 77, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "606fb389aa81962e436cbaeda0289f84", "path_pattern_hash": "a179ef516d6662010534ca5ee85ea8d3", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 7001, "service": "weblogic", "service_name": "weblogic", "risk_score": 33 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003>!?N\ufffd\ufffd6\ufffd\u0005\ufffd`\ufffd\ufffd\ufffd\ufffdH-\ufffd\ufffd\ufffdOK\ufffd\ufffdw\ufffdU<\ufffd6\ufffd \u0003(\ufffdA\ufffd\ufffd\ufffd_1\ufffd\ufffd\u04fa_\/G\ufffd\ufffd\u000e\n\u0007rL\ufffd\u001e\ufffd\u0007\ufffdyI\u0015\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003>!?N\ufffd\ufffd6\ufffd\u0005\ufffd`\ufffd\ufffd\ufffd\ufffdH-\ufffd\ufffd\ufffdOK\ufffd\ufffdw\ufffdU<\ufffd6\ufffd \u0003(\ufffdA\ufffd\ufffd\ufffd_1\ufffd\ufffd\u04fa_\/G\ufffd\ufffd\u000e\n\u0007rL\ufffd\u001e\ufffd\u0007\ufffdyI\u0015\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u04ae\ufffd\ufffdV\u001e\ufffd\ufffd1p\ufffd\ufffd\ufffd\u0004\ufffd\u906e\ufffd\ufffd\ufffd\ufffd=\ufffd\ufffd\u000ed5\r\u000b", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003>!?N\ufffd\ufffd6\ufffd\u0005\ufffd`\ufffd\ufffd\ufffd\ufffdH-\ufffd\ufffd\ufffdOK\ufffd\ufffdw\ufffdU<\ufffd6\ufffd \u0003(\ufffdA\ufffd\ufffd\ufffd_1\ufffd\ufffd\u04fa_\/G\ufffd\ufffd\u000e\n\u0007rL\ufffd\u001e\ufffd\u0007\ufffdyI\u0015\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "enterprise_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "cb27bde002f0a3cc94fddae1ed2065f62585f526", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003>!?N\ufffd\ufffd6\ufffd\u0005\ufffd`\ufffd\ufffd\ufffd\ufffdH-\ufffd\ufffd\ufffdOK\ufffd\ufffdw\ufffdU<\ufffd6\ufffd \u0003(\ufffdA\ufffd\ufffd\ufffd_1\ufffd\ufffd\u04fa_\/G\ufffd\ufffd\u000e\n\u0007rL\ufffd\u001e\ufffd\u0007\ufffdyI\u0015\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7001, "service": "weblogic", "service_label_fr": "WEBLOGIC" }, "evidence_snippet": "\ufffd\ufffd>!?N\ufffd\ufffd6\ufffd\ufffd`\ufffd\ufffd\ufffd\ufffdH-\ufffd\ufffd\ufffdOK\ufffd\ufffdw\ufffdU<\ufffd6\ufffd (\ufffdA\ufffd\ufffd\ufffd_1\ufffd\ufffd\u04fa_\/G\ufffd\ufffd\nrL\ufffd\ufffd\ufffdyI&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "weblogic probe \u00b7 via WEBLOGIC:7001 \u00b7 (sonde \/ probe)", "target_port_label": "7001 \u00b7 WEBLOGIC", "emulator_service": "weblogic", "confidence_reason": "Confiance 77 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%", "classification_reason_label_fr": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 33\/100", "confidence_pct": 77, "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 33 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 33, "risk_label": "Faible", "service_name": "weblogic", "service_label_fr": "WEBLOGIC", "dst_port": 7001, "protocol_emulated": true, "tags_summary": [ "INT-weblogic_console", "INT-upstream" ], "tags_summary_labels_fr": [ "Weblogic Console", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-weblogic", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003>!?N\ufffd\ufffd6\ufffd\u0005\ufffd`\ufffd\ufffd\ufffd\ufffdH-\ufffd\ufffd\ufffdOK\ufffd\ufffdw\ufffdU<\ufffd6\ufffd \u0003(\ufffdA\ufffd\ufffd\ufffd_1\ufffd\ufffd\u04fa_\/G\ufffd\ufffd\u000e\n\u0007rL\ufffd\u001e\ufffd\u0007\ufffdyI\u0015\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7001, "service": "weblogic", "service_label_fr": "WEBLOGIC" }, "attack_vector": "weblogic probe \u00b7 via WEBLOGIC:7001 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd>!?N\ufffd\ufffd6\ufffd\ufffd`\ufffd\ufffd\ufffd\ufffdH-\ufffd\ufffd\ufffdOK\ufffd\ufffdw\ufffdU<\ufffd6\ufffd (\ufffdA\ufffd\ufffd\ufffd_1\ufffd\ufffd\u04fa_\/G\ufffd\ufffd\nrL\ufffd\ufffd\ufffdyI&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "7001 \u00b7 WEBLOGIC", "emulator_service": "weblogic", "confidence_reason": "Confiance 77 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 77 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "weblogic", "service_banner": "honeypot-weblogic", "service_os": "linux", "dst_port": "7001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_weblogic_probe", "tls_clienthello", "weblogic_emulated" ], "asn_dc_heuristic": true }
15/06/2026 22:23:17 UTC	TCP	7001 · WEBLOGIC	weblogic	weblogic probe weblogic probe · via WEBLOGIC:7001 · (sonde / probe)	Élevée	Faible · 33
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur WEBLOGIC WAF — Recommandation Surveiller Tags net_weblogic_probe tls_clienthello weblogic_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7001 Chemin / cible — Service WEBLOGIC Payload ��7v�q/y�ͮ�]�vӯK��Y��e�Z#�� 0�ח4w�[>$� ��U�� s��"s��&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « weblogic_probe » (signaux protocolaires) · confiance 77% Confiance classification 77% Risque capteur Faible · 33 Confiance : Confiance 77 % — 3 signal(aux) capteur Protocole émulé 1 Signaux Weblogic Console Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��7v�q/y�ͮ�]�vӯK��Y��e�Z#�� 0�ח4w�[>$� ��U�� s��"s��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��7v�q/y�ͮ�]�vӯK��Y��e�Z#�� 0�ח4w�[>$� ��U�� s��"s��&�+�/�,�0̨̩� �� /5� w �+3&$ S7��P }f��E��`�K\2œ1��* Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765624c6f676963205365727665722031342e312e312e300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2037390d0a0d0a3c68746d6c3e3c7469746c653e5765624c6f676963205365727665722043", "emulator_response_len": 177, "bytes_in": 239, "payload_entropy": 5.818252969043105, "port_category": "registered", "org": "Google LLC", "service": "weblogic", "app_proto": "weblogic", "asn": 396982, "country": "BE", "dst_port": 7001, "risk_waf": 8, "risk_classification": 58, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 33, "tag_count": 3, "anomaly_count": 0, "campaign_key": "a513a8b6579875aee9e6cefbe17ae13f4cd756cc", "event_fingerprint": "4ea7ffe7bc9ade2843b5e81016a496bfea35cfd6", "classification_reason": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%", "confidence": 0.77, "classification_confidence": 0.77, "precision_score": 87, "precision_signals": [ "INT-weblogic_console", "INT-upstream" ], "kb_rule_ids": [ "INT-weblogic_console", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 33 }, "named_classification_skipped": false, "service_name": "weblogic", "risk_confidence_factor": 77, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "a42c2e0b1cddc306a7706a6360bc58b7", "path_pattern_hash": "a179ef516d6662010534ca5ee85ea8d3", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 7001, "service": "weblogic", "service_name": "weblogic", "risk_score": 33 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd7v\ufffdq\/y\ufffd\u036e\ufffd]\ufffdv\u04efK\ufffd\ufffdY\b\u0013\ufffd\ufffde\ufffdZ#\ufffd\ufffd 0\ufffd\u05d74w\ufffd[>$\ufffd\u000f\r\ufffd\ufffdU\ufffd\u001f\ufffd\b\ufffd s\ufffd\ufffd\"s\ufffd\u0012\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd7v\ufffdq\/y\ufffd\u036e\ufffd]\ufffdv\u04efK\ufffd\ufffdY\b\u0013\ufffd\ufffde\ufffdZ#\ufffd\ufffd 0\ufffd\u05d74w\ufffd[>$\ufffd\u000f\r\ufffd\ufffdU\ufffd\u001f\ufffd\b\ufffd s\ufffd\ufffd\"s\ufffd\u0012\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 S7\ufffd\ufffdP\n}f\u0014\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\u0004\ufffd`\ufffdK\\2\u01531\u0006\ufffd\ufffd*", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd7v\ufffdq\/y\ufffd\u036e\ufffd]\ufffdv\u04efK\ufffd\ufffdY\b\u0013\ufffd\ufffde\ufffdZ#\ufffd\ufffd 0\ufffd\u05d74w\ufffd[>$\ufffd\u000f\r\ufffd\ufffdU\ufffd\u001f\ufffd\b\ufffd s\ufffd\ufffd\"s\ufffd\u0012\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "enterprise_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ecd8b116fb6f413ff56d6304f371631e82255016", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd7v\ufffdq\/y\ufffd\u036e\ufffd]\ufffdv\u04efK\ufffd\ufffdY\b\u0013\ufffd\ufffde\ufffdZ#\ufffd\ufffd 0\ufffd\u05d74w\ufffd[>$\ufffd\u000f\r\ufffd\ufffdU\ufffd\u001f\ufffd\b\ufffd s\ufffd\ufffd\"s\ufffd\u0012\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7001, "service": "weblogic", "service_label_fr": "WEBLOGIC" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd7v\ufffdq\/y\ufffd\u036e\ufffd]\ufffdv\u04efK\ufffd\ufffdY\ufffd\ufffde\ufffdZ#\ufffd\ufffd 0\ufffd\u05d74w\ufffd[>$\ufffd\r\ufffd\ufffdU\ufffd\ufffd\ufffd s\ufffd\ufffd\"s\ufffd\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "weblogic probe \u00b7 via WEBLOGIC:7001 \u00b7 (sonde \/ probe)", "target_port_label": "7001 \u00b7 WEBLOGIC", "emulator_service": "weblogic", "confidence_reason": "Confiance 77 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%", "classification_reason_label_fr": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 33\/100", "confidence_pct": 77, "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 33 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 33, "risk_label": "Faible", "service_name": "weblogic", "service_label_fr": "WEBLOGIC", "dst_port": 7001, "protocol_emulated": true, "tags_summary": [ "INT-weblogic_console", "INT-upstream" ], "tags_summary_labels_fr": [ "Weblogic Console", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-weblogic", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd7v\ufffdq\/y\ufffd\u036e\ufffd]\ufffdv\u04efK\ufffd\ufffdY\b\u0013\ufffd\ufffde\ufffdZ#\ufffd\ufffd 0\ufffd\u05d74w\ufffd[>$\ufffd\u000f\r\ufffd\ufffdU\ufffd\u001f\ufffd\b\ufffd s\ufffd\ufffd\"s\ufffd\u0012\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7001, "service": "weblogic", "service_label_fr": "WEBLOGIC" }, "attack_vector": "weblogic probe \u00b7 via WEBLOGIC:7001 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd7v\ufffdq\/y\ufffd\u036e\ufffd]\ufffdv\u04efK\ufffd\ufffdY\ufffd\ufffde\ufffdZ#\ufffd\ufffd 0\ufffd\u05d74w\ufffd[>$\ufffd\r\ufffd\ufffdU\ufffd\ufffd\ufffd s\ufffd\ufffd\"s\ufffd\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "7001 \u00b7 WEBLOGIC", "emulator_service": "weblogic", "confidence_reason": "Confiance 77 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 77 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "weblogic", "service_banner": "honeypot-weblogic", "service_os": "linux", "dst_port": "7001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_weblogic_probe", "tls_clienthello", "weblogic_emulated" ], "asn_dc_heuristic": true }
15/06/2026 22:23:17 UTC	TCP	7001 · WEBLOGIC	weblogic	weblogic probe weblogic probe · via WEBLOGIC:7001 · (sonde / probe)	Élevée	Faible · 33
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur WEBLOGIC WAF — Recommandation Surveiller Tags net_weblogic_probe tls_clienthello weblogic_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7001 Chemin / cible — Service WEBLOGIC Payload ��.!�}�f)�Y7��ϸ��Uv)+� ?y\.��8��w]��l�!�\|�Q�Z��&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « weblogic_probe » (signaux protocolaires) · confiance 77% Confiance classification 77% Risque capteur Faible · 33 Confiance : Confiance 77 % — 3 signal(aux) capteur Protocole émulé 1 Signaux Weblogic Console Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��.!�}�f)�Y7��ϸ��Uv)+� ?y\.��8��w]��l�!�\|�Q�Z��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��.!�}�f)�Y7��ϸ��Uv)+� ?y\.��8��w]��l�!�\|�Q�Z��&�+�/�,�0̨̩� �� /5� w �+3&$ ��$��P��vH��f�8�o�C�#^� Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765624c6f676963205365727665722031342e312e312e300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2037390d0a0d0a3c68746d6c3e3c7469746c653e5765624c6f676963205365727665722043", "emulator_response_len": 177, "bytes_in": 239, "payload_entropy": 5.8502675483502244, "port_category": "registered", "org": "Google LLC", "service": "weblogic", "app_proto": "weblogic", "asn": 396982, "country": "BE", "dst_port": 7001, "risk_waf": 8, "risk_classification": 58, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 33, "tag_count": 3, "anomaly_count": 0, "campaign_key": "a513a8b6579875aee9e6cefbe17ae13f4cd756cc", "event_fingerprint": "4ea7ffe7bc9ade2843b5e81016a496bfea35cfd6", "classification_reason": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%", "confidence": 0.77, "classification_confidence": 0.77, "precision_score": 87, "precision_signals": [ "INT-weblogic_console", "INT-upstream" ], "kb_rule_ids": [ "INT-weblogic_console", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 33 }, "named_classification_skipped": false, "service_name": "weblogic", "risk_confidence_factor": 77, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "7d8081270c7226f59f305cc10cefe218", "path_pattern_hash": "a179ef516d6662010534ca5ee85ea8d3", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 7001, "service": "weblogic", "service_name": "weblogic", "risk_score": 33 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd.!\ufffd}\ufffdf)\ufffdY7\ufffd\u001f\ufffd\ufffd\ufffd\u03f8\ufffd\u0011\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdU\u001av)+\ufffd ?y\\.\ufffd\ufffd8\u0010\u000e\ufffd\u000e\ufffdw]\u000e\ufffd\ufffdl\u0017\ufffd!\ufffd\|\ufffdQ\u0011\ufffdZ\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd.!\ufffd}\ufffdf)\ufffdY7\ufffd\u001f\ufffd\ufffd\ufffd\u03f8\ufffd\u0011\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdU\u001av)+\ufffd ?y\\.\ufffd\ufffd8\u0010\u000e\ufffd\u000e\ufffdw]\u000e\ufffd\ufffdl\u0017\ufffd!\ufffd\|\ufffdQ\u0011\ufffdZ\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\u001f$\ufffd\ufffdP\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdvH\ufffd\ufffdf\u000f\u0019\ufffd8\ufffdo\ufffdC\ufffd#^\ufffd ", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd.!\ufffd}\ufffdf)\ufffdY7\ufffd\u001f\ufffd\ufffd\ufffd\u03f8\ufffd\u0011\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdU\u001av)+\ufffd ?y\\.\ufffd\ufffd8\u0010\u000e\ufffd\u000e\ufffdw]\u000e\ufffd\ufffdl\u0017\ufffd!\ufffd\|\ufffdQ\u0011\ufffdZ\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "enterprise_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b806737bb191dcd2dc3dd00a25fce8831dea513d", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd.!\ufffd}\ufffdf)\ufffdY7\ufffd\u001f\ufffd\ufffd\ufffd\u03f8\ufffd\u0011\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdU\u001av)+\ufffd ?y\\.\ufffd\ufffd8\u0010\u000e\ufffd\u000e\ufffdw]\u000e\ufffd\ufffdl\u0017\ufffd!\ufffd\|\ufffdQ\u0011\ufffdZ\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7001, "service": "weblogic", "service_label_fr": "WEBLOGIC" }, "evidence_snippet": "\ufffd\ufffd\ufffd.!\ufffd}\ufffdf)\ufffdY7\ufffd\ufffd\ufffd\ufffd\u03f8\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdUv)+\ufffd ?y\\.\ufffd\ufffd8\ufffd\ufffdw]\ufffd\ufffdl\ufffd!\ufffd\|\ufffdQ\ufffdZ\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "weblogic probe \u00b7 via WEBLOGIC:7001 \u00b7 (sonde \/ probe)", "target_port_label": "7001 \u00b7 WEBLOGIC", "emulator_service": "weblogic", "confidence_reason": "Confiance 77 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%", "classification_reason_label_fr": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 33\/100", "confidence_pct": 77, "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 33 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 33, "risk_label": "Faible", "service_name": "weblogic", "service_label_fr": "WEBLOGIC", "dst_port": 7001, "protocol_emulated": true, "tags_summary": [ "INT-weblogic_console", "INT-upstream" ], "tags_summary_labels_fr": [ "Weblogic Console", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-weblogic", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd.!\ufffd}\ufffdf)\ufffdY7\ufffd\u001f\ufffd\ufffd\ufffd\u03f8\ufffd\u0011\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdU\u001av)+\ufffd ?y\\.\ufffd\ufffd8\u0010\u000e\ufffd\u000e\ufffdw]\u000e\ufffd\ufffdl\u0017\ufffd!\ufffd\|\ufffdQ\u0011\ufffdZ\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7001, "service": "weblogic", "service_label_fr": "WEBLOGIC" }, "attack_vector": "weblogic probe \u00b7 via WEBLOGIC:7001 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd.!\ufffd}\ufffdf)\ufffdY7\ufffd\ufffd\ufffd\ufffd\u03f8\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdUv)+\ufffd ?y\\.\ufffd\ufffd8\ufffd\ufffdw]\ufffd\ufffdl\ufffd!\ufffd\|\ufffdQ\ufffdZ\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "7001 \u00b7 WEBLOGIC", "emulator_service": "weblogic", "confidence_reason": "Confiance 77 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 77 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "weblogic", "service_banner": "honeypot-weblogic", "service_os": "linux", "dst_port": "7001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_weblogic_probe", "tls_clienthello", "weblogic_emulated" ], "asn_dc_heuristic": true }
15/06/2026 22:23:17 UTC	TCP	7001 · WEBLOGIC	weblogic	weblogic probe weblogic probe · via WEBLOGIC:7001 · (sonde / probe)	Élevée	Faible · 33
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur WEBLOGIC WAF — Recommandation Surveiller Tags net_weblogic_probe tls_clienthello weblogic_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7001 Chemin / cible — Service WEBLOGIC Payload ��>�mswuI�uf6M��9l ��]>/�g� �$-��d�K�G�'��q�MR�^�4�,�o&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « weblogic_probe » (signaux protocolaires) · confiance 77% Confiance classification 77% Risque capteur Faible · 33 Confiance : Confiance 77 % — 3 signal(aux) capteur Protocole émulé 1 Signaux Weblogic Console Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��>�mswuI�uf6M��9l��]>/�g� �$-��d�K�G�'��q�MR�^�4�,�o&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��>�mswuI�uf6M��9l ��]>/�g� �$-��d�K�G�'��q�MR�^�4�,�o&�+�/�,�0̨̩� �� /5� w �+3&$ �ڼ@@\j��3�N��9�a�Ð��K��I Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765624c6f676963205365727665722031342e312e312e300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2037390d0a0d0a3c68746d6c3e3c7469746c653e5765624c6f676963205365727665722043", "emulator_response_len": 177, "bytes_in": 239, "payload_entropy": 5.794342626461386, "port_category": "registered", "org": "Google LLC", "service": "weblogic", "app_proto": "weblogic", "asn": 396982, "country": "BE", "dst_port": 7001, "risk_waf": 8, "risk_classification": 58, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 33, "tag_count": 3, "anomaly_count": 0, "campaign_key": "a513a8b6579875aee9e6cefbe17ae13f4cd756cc", "event_fingerprint": "4ea7ffe7bc9ade2843b5e81016a496bfea35cfd6", "classification_reason": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%", "confidence": 0.77, "classification_confidence": 0.77, "precision_score": 87, "precision_signals": [ "INT-weblogic_console", "INT-upstream" ], "kb_rule_ids": [ "INT-weblogic_console", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 33 }, "named_classification_skipped": false, "service_name": "weblogic", "risk_confidence_factor": 77, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ca20ec55a09460627bdbdab47f8c2bdc", "path_pattern_hash": "a179ef516d6662010534ca5ee85ea8d3", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 7001, "service": "weblogic", "service_name": "weblogic", "risk_score": 33 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003>\ufffd\u0018\u0010m\u001dswu\u001eI\ufffduf6\u0017M\ufffd\ufffd9l\f\ufffd\ufffd]>\/\u0001\ufffdg\u0000\ufffd \ufffd$-\ufffd\ufffd\u0000d\ufffdK\ufffdG\ufffd'\ufffd\ufffd\ufffdq\ufffd\u0002\u001cMR\ufffd^\ufffd4\u0019\ufffd,\ufffd\u0015o\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003>\ufffd\u0018\u0010m\u001dswu\u001eI\ufffduf6\u0017M\ufffd\ufffd9l\f\ufffd\ufffd]>\/\u0001\ufffdg\u0000\ufffd \ufffd$-\ufffd\ufffd\u0000d\ufffdK\ufffdG\ufffd'\ufffd\ufffd\ufffdq\ufffd\u0002\u001cMR\ufffd^\ufffd4\u0019\ufffd,\ufffd\u0015o\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u06bc@@\\j\ufffd\ufffd\ufffd3\ufffdN\ufffd\u0001\ufffd\ufffd9\ufffda\u001e\u001d\ufffd\u00d0\ufffd\ufffd\ufffdK\ufffd\ufffdI", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003>\ufffd\u0018\u0010m\u001dswu\u001eI\ufffduf6\u0017M\ufffd\ufffd9l\f\ufffd\ufffd]>\/\u0001\ufffdg\u0000\ufffd \ufffd$-\ufffd\ufffd\u0000d\ufffdK\ufffdG\ufffd'\ufffd\ufffd\ufffdq\ufffd\u0002\u001cMR\ufffd^\ufffd4\u0019\ufffd,\ufffd\u0015o\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "enterprise_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b55f53da255ff87df51844efe39220ba8df4a7a5", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003>\ufffd\u0018\u0010m\u001dswu\u001eI\ufffduf6\u0017M\ufffd\ufffd9l\f\ufffd\ufffd]>\/\u0001\ufffdg\u0000\ufffd \ufffd$-\ufffd\ufffd\u0000d\ufffdK\ufffdG\ufffd'\ufffd\ufffd\ufffdq\ufffd\u0002\u001cMR\ufffd^\ufffd4\u0019\ufffd,\ufffd\u0015o\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7001, "service": "weblogic", "service_label_fr": "WEBLOGIC" }, "evidence_snippet": "\ufffd\ufffd>\ufffdmswuI\ufffduf6M\ufffd\ufffd9l\ufffd\ufffd]>\/\ufffdg\ufffd \ufffd$-\ufffd\ufffdd\ufffdK\ufffdG\ufffd'\ufffd\ufffd\ufffdq\ufffdMR\ufffd^\ufffd4\ufffd,\ufffdo&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "weblogic probe \u00b7 via WEBLOGIC:7001 \u00b7 (sonde \/ probe)", "target_port_label": "7001 \u00b7 WEBLOGIC", "emulator_service": "weblogic", "confidence_reason": "Confiance 77 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%", "classification_reason_label_fr": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 33\/100", "confidence_pct": 77, "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 33 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 33, "risk_label": "Faible", "service_name": "weblogic", "service_label_fr": "WEBLOGIC", "dst_port": 7001, "protocol_emulated": true, "tags_summary": [ "INT-weblogic_console", "INT-upstream" ], "tags_summary_labels_fr": [ "Weblogic Console", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-weblogic", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003>\ufffd\u0018\u0010m\u001dswu\u001eI\ufffduf6\u0017M\ufffd\ufffd9l\f\ufffd\ufffd]>\/\u0001\ufffdg\u0000\ufffd \ufffd$-\ufffd\ufffd\u0000d\ufffdK\ufffdG\ufffd'\ufffd\ufffd\ufffdq\ufffd\u0002\u001cMR\ufffd^\ufffd4\u0019\ufffd,\ufffd\u0015o\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7001, "service": "weblogic", "service_label_fr": "WEBLOGIC" }, "attack_vector": "weblogic probe \u00b7 via WEBLOGIC:7001 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd>\ufffdmswuI\ufffduf6M\ufffd\ufffd9l\ufffd\ufffd]>\/\ufffdg\ufffd \ufffd$-\ufffd\ufffdd\ufffdK\ufffdG\ufffd'\ufffd\ufffd\ufffdq\ufffdMR\ufffd^\ufffd4\ufffd,\ufffdo&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "7001 \u00b7 WEBLOGIC", "emulator_service": "weblogic", "confidence_reason": "Confiance 77 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 77 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "weblogic", "service_banner": "honeypot-weblogic", "service_os": "linux", "dst_port": "7001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_weblogic_probe", "tls_clienthello", "weblogic_emulated" ], "asn_dc_heuristic": true }
15/06/2026 22:23:17 UTC	TCP	7001 · WEBLOGIC	weblogic	weblogic probe weblogic probe · via WEBLOGIC:7001 · (sonde / probe)	Élevée	Faible · 33
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur WEBLOGIC WAF — Recommandation Surveiller Tags net_weblogic_probe tls_clienthello weblogic_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7001 Chemin / cible — Service WEBLOGIC Payload ��jJK��=L�׍�L�CҴ)y�M�* ��/ �L�=߷��fe�Ir�`��ϣ ykK~�n��T�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « weblogic_probe » (signaux protocolaires) · confiance 77% Confiance classification 77% Risque capteur Faible · 33 Confiance : Confiance 77 % — 3 signal(aux) capteur Protocole émulé 1 Signaux Weblogic Console Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��jJK��=L�׍�L�CҴ)y�M���/ �L�=߷��fe�Ir�`��ϣ ykK~�n��T�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��jJK��=L�׍�L�CҴ)y�M� ��/ �L�=߷��fe�Ir�`��ϣ ykK~�n��T�&�+�/�,�0̨̩� �� /5� w �+3&$ ��w�K܃��Ni��t�� !z��F Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765624c6f676963205365727665722031342e312e312e300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2037390d0a0d0a3c68746d6c3e3c7469746c653e5765624c6f676963205365727665722043", "emulator_response_len": 177, "bytes_in": 239, "payload_entropy": 5.84627332892603, "port_category": "registered", "org": "Google LLC", "service": "weblogic", "app_proto": "weblogic", "asn": 396982, "country": "BE", "dst_port": 7001, "risk_waf": 8, "risk_classification": 58, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 33, "tag_count": 3, "anomaly_count": 0, "campaign_key": "a513a8b6579875aee9e6cefbe17ae13f4cd756cc", "event_fingerprint": "4ea7ffe7bc9ade2843b5e81016a496bfea35cfd6", "classification_reason": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%", "confidence": 0.77, "classification_confidence": 0.77, "precision_score": 87, "precision_signals": [ "INT-weblogic_console", "INT-upstream" ], "kb_rule_ids": [ "INT-weblogic_console", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 33 }, "named_classification_skipped": false, "service_name": "weblogic", "risk_confidence_factor": 77, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "0e9f0c36b5f543cce1e6cbb2e50b86d4", "path_pattern_hash": "a179ef516d6662010534ca5ee85ea8d3", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 7001, "service": "weblogic", "service_name": "weblogic", "risk_score": 33 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003jJK\ufffd\u0002\ufffd\ufffd\u0004\ufffd=L\ufffd\u05cd\ufffdL\ufffdC\u04b4)y\u0012\ufffdM\u0019\ufffd\f\ufffd\ufffd\/ \ufffdL\ufffd=\u07f7\ufffd\ufffdfe\ufffdI\u0015r\ufffd`\ufffd\ufffd\u03e3\tykK~\u0012\ufffdn\ufffd\ufffdT\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003jJK\ufffd\u0002\ufffd\ufffd\u0004\ufffd=L\ufffd\u05cd\ufffdL\ufffdC\u04b4)y\u0012\ufffdM\u0019\ufffd\f\ufffd\ufffd\/ \ufffdL\ufffd=\u07f7\ufffd\ufffdfe\ufffdI\u0015r\ufffd`\ufffd\ufffd\u03e3\tykK~\u0012\ufffdn\ufffd\ufffdT\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffdw\ufffdK\u0703\b\ufffd\ufffdNi\ufffd\ufffd\ufffd\ufffd\ufffdt\ufffd\ufffd\u0012\t\ufffd\ufffd\u0014!z\ufffd\ufffdF", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003jJK\ufffd\u0002\ufffd\ufffd\u0004\ufffd=L\ufffd\u05cd\ufffdL\ufffdC\u04b4)y\u0012\ufffdM\u0019\ufffd\f\ufffd\ufffd\/ \ufffdL\ufffd=\u07f7\ufffd\ufffdfe\ufffdI\u0015r\ufffd`\ufffd\ufffd\u03e3\tykK~\u0012\ufffdn\ufffd\ufffdT\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "enterprise_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "56fa33535fcc94a3d34c851cefcf1430e1f4dfd5", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003jJK\ufffd\u0002\ufffd\ufffd\u0004\ufffd=L\ufffd\u05cd\ufffdL\ufffdC\u04b4)y\u0012\ufffdM\u0019\ufffd\f\ufffd\ufffd\/ \ufffdL\ufffd=\u07f7\ufffd\ufffdfe\ufffdI\u0015r\ufffd`\ufffd\ufffd\u03e3\tykK~\u0012\ufffdn\ufffd\ufffdT\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7001, "service": "weblogic", "service_label_fr": "WEBLOGIC" }, "evidence_snippet": "\ufffd\ufffdjJK\ufffd\ufffd\ufffd\ufffd=L\ufffd\u05cd\ufffdL\ufffdC\u04b4)y\ufffdM\ufffd\ufffd\ufffd\/ \ufffdL\ufffd=\u07f7\ufffd\ufffdfe\ufffdIr\ufffd`\ufffd\ufffd\u03e3\tykK~\ufffdn\ufffd\ufffdT\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "weblogic probe \u00b7 via WEBLOGIC:7001 \u00b7 (sonde \/ probe)", "target_port_label": "7001 \u00b7 WEBLOGIC", "emulator_service": "weblogic", "confidence_reason": "Confiance 77 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%", "classification_reason_label_fr": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 33\/100", "confidence_pct": 77, "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 33 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 33, "risk_label": "Faible", "service_name": "weblogic", "service_label_fr": "WEBLOGIC", "dst_port": 7001, "protocol_emulated": true, "tags_summary": [ "INT-weblogic_console", "INT-upstream" ], "tags_summary_labels_fr": [ "Weblogic Console", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-weblogic", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003jJK\ufffd\u0002\ufffd\ufffd\u0004\ufffd=L\ufffd\u05cd\ufffdL\ufffdC\u04b4)y\u0012\ufffdM\u0019\ufffd\f\ufffd\ufffd\/ \ufffdL\ufffd=\u07f7\ufffd\ufffdfe\ufffdI\u0015r\ufffd`\ufffd\ufffd\u03e3\tykK~\u0012\ufffdn\ufffd\ufffdT\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7001, "service": "weblogic", "service_label_fr": "WEBLOGIC" }, "attack_vector": "weblogic probe \u00b7 via WEBLOGIC:7001 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdjJK\ufffd\ufffd\ufffd\ufffd=L\ufffd\u05cd\ufffdL\ufffdC\u04b4)y\ufffdM\ufffd*\ufffd\ufffd\/ \ufffdL\ufffd=\u07f7\ufffd\ufffdfe\ufffdIr\ufffd`\ufffd\ufffd\u03e3\tykK~\ufffdn\ufffd\ufffdT\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "7001 \u00b7 WEBLOGIC", "emulator_service": "weblogic", "confidence_reason": "Confiance 77 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 77 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "weblogic", "service_banner": "honeypot-weblogic", "service_os": "linux", "dst_port": "7001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_weblogic_probe", "tls_clienthello", "weblogic_emulated" ], "asn_dc_heuristic": true }
15/06/2026 22:23:17 UTC	TCP	7001 · WEBLOGIC	weblogic	weblogic probe weblogic probe · via WEBLOGIC:7001 · (sonde / probe)	Élevée	Faible · 33
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur WEBLOGIC WAF — Recommandation Surveiller Tags net_weblogic_probe tls_clienthello weblogic_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7001 Chemin / cible — Service WEBLOGIC Payload ��y�߱�� DyH& ��{��/�Z�9[ Yą�Od��6d��9�2�p��E{!��eC&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification :* Type « weblogic_probe » (signaux protocolaires) · confiance 77% Confiance classification 77% Risque capteur Faible · 33 Confiance : Confiance 77 % — 3 signal(aux) capteur Protocole émulé 1 Signaux Weblogic Console Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��y�߱�� DyH&��{��/�Z�9[ Yą�Od��6d��9�2�p��E{!��eC&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��y�߱�� DyH& ��{��/�Z�9[ Yą�Od��6d��9�2�p��E{!��eC&�+�/�,�0̨̩� �� /5� w �+3&$ .wry�Ix��5�),w,0��:��,L Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765624c6f676963205365727665722031342e312e312e300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2037390d0a0d0a3c68746d6c3e3c7469746c653e5765624c6f676963205365727665722043", "emulator_response_len": 177, "bytes_in": 239, "payload_entropy": 5.699969586453253, "port_category": "registered", "org": "Google LLC", "service": "weblogic", "app_proto": "weblogic", "asn": 396982, "country": "BE", "dst_port": 7001, "risk_waf": 8, "risk_classification": 58, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 33, "tag_count": 3, "anomaly_count": 0, "campaign_key": "a513a8b6579875aee9e6cefbe17ae13f4cd756cc", "event_fingerprint": "4ea7ffe7bc9ade2843b5e81016a496bfea35cfd6", "classification_reason": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%", "confidence": 0.77, "classification_confidence": 0.77, "precision_score": 87, "precision_signals": [ "INT-weblogic_console", "INT-upstream" ], "kb_rule_ids": [ "INT-weblogic_console", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 33 }, "named_classification_skipped": false, "service_name": "weblogic", "risk_confidence_factor": 77, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "772bc0bae8dd57228259b14245e8d331", "path_pattern_hash": "a179ef516d6662010534ca5ee85ea8d3", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 7001, "service": "weblogic", "service_name": "weblogic", "risk_score": 33 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003y\u000e\ufffd\u07f1\ufffd\ufffd\rDyH&\f\ufffd\ufffd\u0012\ufffd\u0005\u0012{\ufffd\ufffd\/\ufffdZ\ufffd\u00009\u0012[\u0000 Y\u0105\u0004\u0006\ufffdOd\ufffd\u0011\ufffd\ufffd6d\ufffd\ufffd\ufffd9\ufffd2\ufffdp\ufffd\ufffdE{!\ufffd\ufffdeC\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003y\u000e\ufffd\u07f1\ufffd\ufffd\rDyH&\f\ufffd\ufffd\u0012\ufffd\u0005\u0012{\ufffd\ufffd\/\ufffdZ\ufffd\u00009\u0012[\u0000 Y\u0105\u0004\u0006\ufffdOd\ufffd\u0011\ufffd\ufffd6d\ufffd\ufffd\ufffd9\ufffd2\ufffdp\ufffd\ufffdE{!\ufffd\ufffdeC\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 .w\u0015ry\ufffd\u001bIx\ufffd\ufffd5\ufffd\u0012),w\u0012\u0010\u0010,0\ufffd\ufffd:\u001a\ufffd\ufffd,L", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003y\u000e\ufffd\u07f1\ufffd\ufffd\rDyH&\f\ufffd\ufffd\u0012\ufffd\u0005\u0012{\ufffd\ufffd\/\ufffdZ\ufffd\u00009\u0012[\u0000 Y\u0105\u0004\u0006\ufffdOd\ufffd\u0011\ufffd\ufffd6d\ufffd\ufffd\ufffd9\ufffd2\ufffdp\ufffd\ufffdE{!\ufffd\ufffdeC\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "enterprise_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a9740baee42c04c64023ffe016c35cd60a233ee0", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003y\u000e\ufffd\u07f1\ufffd\ufffd\rDyH&\f\ufffd\ufffd\u0012\ufffd\u0005\u0012{\ufffd\ufffd\/\ufffdZ\ufffd\u00009\u0012[\u0000 Y\u0105\u0004\u0006\ufffdOd\ufffd\u0011\ufffd\ufffd6d\ufffd\ufffd\ufffd9\ufffd2\ufffdp\ufffd\ufffdE{!\ufffd\ufffdeC\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7001, "service": "weblogic", "service_label_fr": "WEBLOGIC" }, "evidence_snippet": "\ufffd\ufffdy\ufffd\u07f1\ufffd\ufffd\rDyH&\ufffd\ufffd\ufffd{\ufffd\ufffd\/\ufffdZ\ufffd9[ Y\u0105\ufffdOd\ufffd\ufffd\ufffd6d\ufffd\ufffd\ufffd9\ufffd2\ufffdp\ufffd\ufffdE{!\ufffd\ufffdeC&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "weblogic probe \u00b7 via WEBLOGIC:7001 \u00b7 (sonde \/ probe)", "target_port_label": "7001 \u00b7 WEBLOGIC", "emulator_service": "weblogic", "confidence_reason": "Confiance 77 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%", "classification_reason_label_fr": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 33\/100", "confidence_pct": 77, "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 33 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 33, "risk_label": "Faible", "service_name": "weblogic", "service_label_fr": "WEBLOGIC", "dst_port": 7001, "protocol_emulated": true, "tags_summary": [ "INT-weblogic_console", "INT-upstream" ], "tags_summary_labels_fr": [ "Weblogic Console", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-weblogic", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003y\u000e\ufffd\u07f1\ufffd\ufffd\rDyH&\f\ufffd\ufffd\u0012\ufffd\u0005\u0012{\ufffd\ufffd\/\ufffdZ\ufffd\u00009\u0012[\u0000 Y\u0105\u0004\u0006\ufffdOd\ufffd\u0011\ufffd\ufffd6d\ufffd\ufffd\ufffd9\ufffd2\ufffdp\ufffd\ufffdE{!\ufffd\ufffdeC\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7001, "service": "weblogic", "service_label_fr": "WEBLOGIC" }, "attack_vector": "weblogic probe \u00b7 via WEBLOGIC:7001 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdy\ufffd\u07f1\ufffd\ufffd\rDyH&\ufffd\ufffd\ufffd{\ufffd\ufffd\/\ufffdZ\ufffd9[ Y\u0105\ufffdOd\ufffd\ufffd\ufffd6d\ufffd\ufffd\ufffd9\ufffd2\ufffdp\ufffd\ufffdE{!\ufffd\ufffde*C&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "7001 \u00b7 WEBLOGIC", "emulator_service": "weblogic", "confidence_reason": "Confiance 77 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 77 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "weblogic", "service_banner": "honeypot-weblogic", "service_os": "linux", "dst_port": "7001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_weblogic_probe", "tls_clienthello", "weblogic_emulated" ], "asn_dc_heuristic": true }

Réputation

Sécurité avancée

Offensive / Recon

Sécurité

DNS

Réseau

E-mail

IP

Utilitaires

34.140.113.180

Profil de menace

Pourquoi listée

Comparaison ASN / FAI

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

34.140.113.180

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence