|
|
TCP |
143 · IMAP
|
imap
|
Sonde POP3
pop3 probe · via IMAP:143 · (sonde / probe)
|
Élevée
|
Moyen · 45
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
IMAP
WAF
—
Recommandation
Surveiller
Tags
imap_emulated
mongodb_probe
net_bruteforce_burst
net_pop3_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
143
Chemin / cible
—
Service
IMAP
Payload
���(r������������������|��������������������
Pourquoi cette classification : Rafale d'authentification SSH · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Moyen
· 45
Confiance : Confiance 50 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0532
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
���(r������������������|
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "2a204f4b20494d41503420686f6e6579706f742072656164790d0a",
"emulator_response_len": 27,
"bytes_in": 44,
"payload_entropy": 1.9235205817738175,
"port_category": "well_known",
"org": "Google LLC",
"service": "imap",
"app_proto": "imap",
"asn": 396982,
"country": "BE",
"dst_port": 143,
"risk_waf": 8,
"risk_classification": 48,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.4,
"risk_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 45,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "55a3e6adc384f2fbeb8c47557fd27b308338b059",
"event_fingerprint": "2aee505ca8261046f5734d427b2e1084c257e862",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0532"
],
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 45
},
"service_name": "imap",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "2a177602bee0d039f41fbd6da5240e04",
"path_pattern_hash": "44d5bece51c65fa33908cf3d76b6745a"
},
"target_context": {
"dst_port": 143,
"service": "imap",
"service_name": "imap",
"risk_score": 45
},
"payload_preview": "\ufffd\u0000\u0000(r\ufffd\u001d\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0001\ufffd|\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"request_sample": "\ufffd\u0000\u0000(r\ufffd\u001d\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0001\ufffd|\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"payload_snippet": "\ufffd\u0000\u0000(r\ufffd\u001d\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0001\ufffd|\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"evidence": {
"request_sample": "\ufffd\u0000\u0000(r\ufffd\u001d\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0001\ufffd|\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"payload_snippet": "\ufffd\u0000\u0000(r\ufffd\u001d\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0001\ufffd|\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "db6f9a64405ba0083fc79a1bcec7c326bafee400",
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "\ufffd\u0000\u0000(r\ufffd\u001d\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0001\ufffd|\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"evidence_snippet": "\ufffd(r\ufffd\ufffd\ufffd\ufffd|",
"attack_vector": "pop3 probe \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 50%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 45
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "imap",
"service_label_fr": "IMAP",
"dst_port": 143,
"protocol_emulated": true,
"tags_summary": [
"pat-0532"
],
"tags_summary_labels_fr": [
"pat-0532"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-imap",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "\ufffd\u0000\u0000(r\ufffd\u001d\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0001\ufffd|\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"attack_vector": "pop3 probe \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd(r\ufffd\ufffd\ufffd\ufffd|",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "imap",
"service_banner": "honeypot-imap",
"service_os": "linux",
"dst_port": "143"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"imap_emulated",
"mongodb_probe",
"net_bruteforce_burst",
"net_pop3_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
143 · IMAP
|
imap
|
Sonde POP3
pop3 probe · via IMAP:143 · (sonde / probe)
|
Élevée
|
Moyen · 45
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
IMAP
WAF
—
Recommandation
Surveiller
Tags
imap_emulated
net_bruteforce_burst
net_pop3_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
143
Chemin / cible
—
Service
IMAP
Payload
���f�SMB@�����������������������������������������������������������$������������333333333333337����������
Pourquoi cette classification : Rafale d'authentification SSH · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Moyen
· 45
Confiance : Confiance 50 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0532
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
f�SMB@�����������������������������������������������������������$������������333333333333337����������
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "2a204f4b20494d41503420686f6e6579706f742072656164790d0a",
"emulator_response_len": 27,
"bytes_in": 106,
"payload_entropy": 1.562219115128654,
"port_category": "well_known",
"org": "Google LLC",
"service": "imap",
"app_proto": "imap",
"asn": 396982,
"country": "BE",
"dst_port": 143,
"risk_waf": 8,
"risk_classification": 48,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.1,
"risk_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 45,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "ba54c69867e6b8120ca43682f345981a8ad648a8",
"event_fingerprint": "2aee505ca8261046f5734d427b2e1084c257e862",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0532"
],
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 45
},
"service_name": "imap",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "c410cf23b3d85ec98026baf9f8231d24",
"path_pattern_hash": "44d5bece51c65fa33908cf3d76b6745a"
},
"target_context": {
"dst_port": 143,
"service": "imap",
"service_name": "imap",
"risk_score": 45
},
"payload_preview": "\u0000\u0000\u0000f\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0013333333333333337\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0002",
"request_sample": "\u0000\u0000\u0000f\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0013333333333333337\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0002",
"payload_snippet": "\u0000\u0000\u0000f\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0013333333333333337\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0002",
"evidence": {
"request_sample": "\u0000\u0000\u0000f\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0013333333333333337\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0002",
"payload_snippet": "\u0000\u0000\u0000f\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0013333333333333337\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0002",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "2f4796c288e9ea4ed160cbee6b448ab079ed15f5",
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "\u0000\u0000\u0000f\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0013333333333333337\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0002",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"evidence_snippet": "f\ufffdSMB@$333333333333337",
"attack_vector": "pop3 probe \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 50%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 45
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "imap",
"service_label_fr": "IMAP",
"dst_port": 143,
"protocol_emulated": true,
"tags_summary": [
"pat-0532"
],
"tags_summary_labels_fr": [
"pat-0532"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-imap",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "\u0000\u0000\u0000f\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0013333333333333337\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0002",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"attack_vector": "pop3 probe \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"evidence_snippet": "f\ufffdSMB@$333333333333337",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "imap",
"service_banner": "honeypot-imap",
"service_os": "linux",
"dst_port": "143"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"imap_emulated",
"net_bruteforce_burst",
"net_pop3_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
143 · IMAP
|
imap
|
Sonde POP3
pop3 probe · via IMAP:143 · (sonde / probe)
|
Élevée
|
Moyen · 45
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
IMAP
WAF
—
Recommandation
Surveiller
Tags
imap_emulated
net_bruteforce_burst
net_pop3_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
143
Chemin / cible
—
Service
IMAP
Payload
�J����������
Pourquoi cette classification : Rafale d'authentification SSH · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Moyen
· 45
Confiance : Confiance 50 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
�J����������
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "2a204f4b20494d41503420686f6e6579706f742072656164790d0a",
"emulator_response_len": 27,
"bytes_in": 12,
"payload_entropy": 2.125814583693911,
"port_category": "well_known",
"org": "Google LLC",
"service": "imap",
"app_proto": "imap",
"asn": 396982,
"country": "BE",
"dst_port": 143,
"risk_waf": 8,
"risk_classification": 48,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.1,
"risk_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 45,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "ba54c69867e6b8120ca43682f345981a8ad648a8",
"event_fingerprint": "2aee505ca8261046f5734d427b2e1084c257e862",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 45
},
"service_name": "imap",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "184e10f1372e325b40c71165d7f1fe54",
"path_pattern_hash": "44d5bece51c65fa33908cf3d76b6745a"
},
"target_context": {
"dst_port": 143,
"service": "imap",
"service_name": "imap",
"risk_score": 45
},
"payload_preview": "\ufffdJ\u0000\u0000\u0000\u0006\u0001\u0002\u0000\u0000\u0000\u0001",
"request_sample": "\ufffdJ\u0000\u0000\u0000\u0006\u0001\u0002\u0000\u0000\u0000\u0001",
"payload_snippet": "\ufffdJ\u0000\u0000\u0000\u0006\u0001\u0002\u0000\u0000\u0000\u0001",
"evidence": {
"request_sample": "\ufffdJ\u0000\u0000\u0000\u0006\u0001\u0002\u0000\u0000\u0000\u0001",
"payload_snippet": "\ufffdJ\u0000\u0000\u0000\u0006\u0001\u0002\u0000\u0000\u0000\u0001",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9c9d8b2a818b4c8bf00b3ee47b26ceab9d009299",
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "\ufffdJ\u0000\u0000\u0000\u0006\u0001\u0002\u0000\u0000\u0000\u0001",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"evidence_snippet": "\ufffdJ",
"attack_vector": "pop3 probe \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 50%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 45
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "imap",
"service_label_fr": "IMAP",
"dst_port": 143,
"protocol_emulated": true,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-imap",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "\ufffdJ\u0000\u0000\u0000\u0006\u0001\u0002\u0000\u0000\u0000\u0001",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"attack_vector": "pop3 probe \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffdJ",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "imap",
"service_banner": "honeypot-imap",
"service_os": "linux",
"dst_port": "143"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"imap_emulated",
"net_bruteforce_burst",
"net_pop3_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
143 · IMAP
|
imap
|
Sonde port 143/TCP
port 143 tcp · via IMAP:143 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
IMAP
WAF
—
Recommandation
Surveiller
Tags
imap_emulated
net_bruteforce_burst
net_pop3_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
143
Chemin / cible
—
Preuve honeypot — Sonde port 143/TCP
Connexion détectée sur le port 143 (TCP) du capteur simulé.
Service
IMAP
Payload
*1 $4 PING
Pourquoi cette classification : Rafale d'authentification SSH · confiance 55%
Confiance classification
55%
Risque capteur
Faible
· 38
Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Redis PING RESP
User-Agent
—
Règles WAF
—
Payload (extrait)
*1
$4
PING
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "2a204f4b20494d41503420686f6e6579706f742072656164790d0a",
"emulator_response_len": 27,
"bytes_in": 14,
"payload_entropy": 3.128085278891395,
"port_category": "well_known",
"org": "Google LLC",
"service": "imap",
"app_proto": "imap",
"asn": 396982,
"country": "BE",
"dst_port": 143,
"risk_waf": 8,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.1,
"risk_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 38,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "ba54c69867e6b8120ca43682f345981a8ad648a8",
"event_fingerprint": "2aee505ca8261046f5734d427b2e1084c257e862",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"matched_patterns": [
"pat-0414"
],
"matched_pattern_names": [
"Redis PING RESP"
],
"pattern_ids": [
"pat-0414"
],
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "pop3_probe",
"service_name": "imap",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "a43cb6a3b9d261112714d00e36b33106",
"path_pattern_hash": "a16ceff6d669b3e29397887a084460a7"
},
"target_context": {
"dst_port": 143,
"service": "imap",
"service_name": "imap",
"risk_score": 38
},
"payload_preview": "*1\r\n$4\r\nPING\r\n",
"request_sample": "*1\r\n$4\r\nPING\r\n",
"payload_snippet": "*1\r\n$4\r\nPING",
"evidence": {
"request_sample": "*1\r\n$4\r\nPING\r\n",
"payload_snippet": "*1\r\n$4\r\nPING",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6faf2287f1ffaf66f8669292a8f33875ffecd1f7",
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "*1\r\n$4\r\nPING",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"evidence_snippet": "*1\r\n$4\r\nPING",
"attack_vector": "port 143 tcp \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 55%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 55,
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "imap",
"service_label_fr": "IMAP",
"dst_port": 143,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-imap",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "*1\r\n$4\r\nPING",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"attack_vector": "port 143 tcp \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"evidence_snippet": "*1\r\n$4\r\nPING",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "imap",
"service_banner": "honeypot-imap",
"service_os": "linux",
"dst_port": "143"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"imap_emulated",
"net_bruteforce_burst",
"net_pop3_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
143 · IMAP
|
imap
|
mqtt probe
mqtt probe · via IMAP:143 · (sonde / probe)
|
Élevée
|
Moyen · 49
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
IMAP
WAF
—
Recommandation
Surveiller
Tags
imap_emulated
mqtt_connect
net_bruteforce_burst
net_pop3_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
143
Chemin / cible
—
Service
IMAP
Payload
����MQTT���<��AAAAA
Pourquoi cette classification : Rafale d'authentification SSH · confiance 97%
Confiance classification
97%
Risque capteur
Moyen
· 49
Confiance : Confiance 97 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0373
pat-0615
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
MQTT protocol
MQTT alt CONNECT
Minecraft varint handshake
User-Agent
—
Règles WAF
—
Payload (extrait)
����MQTT���<��AAAAA
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "2a204f4b20494d41503420686f6e6579706f742072656164790d0a",
"emulator_response_len": 27,
"bytes_in": 19,
"payload_entropy": 3.281373409411991,
"port_category": "well_known",
"org": "Google LLC",
"service": "imap",
"app_proto": "imap",
"asn": 396982,
"country": "BE",
"dst_port": 143,
"risk_waf": 8,
"risk_classification": 54,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.4,
"risk_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 49,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "87f83c059f12c06c6f8d0af47ce2bedaaa4df77d",
"event_fingerprint": "2aee505ca8261046f5734d427b2e1084c257e862",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 97%",
"confidence": 0.97,
"classification_confidence": 0.97,
"precision_score": 110,
"precision_signals": [
"pat-0373",
"pat-0615"
],
"kb_rule_ids": [
"pat-0373",
"pat-0615"
],
"matched_patterns": [
"pat-0373",
"pat-0615",
"pat-0554"
],
"matched_pattern_names": [
"MQTT protocol",
"MQTT alt CONNECT",
"Minecraft varint handshake"
],
"pattern_ids": [
"pat-0373",
"pat-0615",
"pat-0554"
],
"confidence_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 49
},
"named_classification_skipped": false,
"service_name": "imap",
"risk_confidence_factor": 97,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "146feb4208f989935534a353df60ec62",
"path_pattern_hash": "4449b927317468afa12a2f935a413459"
},
"target_context": {
"dst_port": 143,
"service": "imap",
"service_name": "imap",
"risk_score": 49
},
"payload_preview": "\u0010\u0011\u0000\u0004MQTT\u0003\u0002\u0000<\u0000\u0005AAAAA",
"request_sample": "\u0010\u0011\u0000\u0004MQTT\u0003\u0002\u0000<\u0000\u0005AAAAA",
"payload_snippet": "\u0010\u0011\u0000\u0004MQTT\u0003\u0002\u0000<\u0000\u0005AAAAA",
"evidence": {
"request_sample": "\u0010\u0011\u0000\u0004MQTT\u0003\u0002\u0000<\u0000\u0005AAAAA",
"payload_snippet": "\u0010\u0011\u0000\u0004MQTT\u0003\u0002\u0000<\u0000\u0005AAAAA",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 97%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "2f5e819395fd86f371ce3dc96f4c6e53f3882a0d",
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "\u0010\u0011\u0000\u0004MQTT\u0003\u0002\u0000<\u0000\u0005AAAAA",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"evidence_snippet": "MQTT<AAAAA",
"attack_vector": "mqtt probe \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 97 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 97%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 97%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100",
"confidence_pct": 97,
"confidence_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 49
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 49,
"risk_label": "Moyen",
"service_name": "imap",
"service_label_fr": "IMAP",
"dst_port": 143,
"protocol_emulated": true,
"tags_summary": [
"pat-0373",
"pat-0615"
],
"tags_summary_labels_fr": [
"pat-0373",
"pat-0615"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-imap",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "\u0010\u0011\u0000\u0004MQTT\u0003\u0002\u0000<\u0000\u0005AAAAA",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"attack_vector": "mqtt probe \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"evidence_snippet": "MQTT<AAAAA",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 97 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 97 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "imap",
"service_banner": "honeypot-imap",
"service_os": "linux",
"dst_port": "143"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"imap_emulated",
"mqtt_connect",
"net_bruteforce_burst",
"net_pop3_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
143 · IMAP
|
imap
|
Sonde port 143/TCP
port 143 tcp · via IMAP:143 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
IMAP
WAF
—
Recommandation
Surveiller
Tags
imap_emulated
net_bruteforce_burst
net_pop3_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
143
Chemin / cible
—
Preuve honeypot — Sonde port 143/TCP
Connexion détectée sur le port 143 (TCP) du capteur simulé.
Service
IMAP
Payload
JDWP-Handshake
Pourquoi cette classification : Rafale d'authentification SSH · confiance 55%
Confiance classification
55%
Risque capteur
Faible
· 38
Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
JDWP-Handshake
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "2a204f4b20494d41503420686f6e6579706f742072656164790d0a",
"emulator_response_len": 27,
"bytes_in": 14,
"payload_entropy": 3.6644977792004623,
"port_category": "well_known",
"org": "Google LLC",
"service": "imap",
"app_proto": "imap",
"asn": 396982,
"country": "BE",
"dst_port": 143,
"risk_waf": 8,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.1,
"risk_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 38,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "ba54c69867e6b8120ca43682f345981a8ad648a8",
"event_fingerprint": "2aee505ca8261046f5734d427b2e1084c257e862",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "pop3_probe",
"service_name": "imap",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "d7cf99dd7541d7bd514fc0d9a1b2d531",
"path_pattern_hash": "a16ceff6d669b3e29397887a084460a7"
},
"target_context": {
"dst_port": 143,
"service": "imap",
"service_name": "imap",
"risk_score": 38
},
"payload_preview": "JDWP-Handshake",
"request_sample": "JDWP-Handshake",
"payload_snippet": "JDWP-Handshake",
"evidence": {
"request_sample": "JDWP-Handshake",
"payload_snippet": "JDWP-Handshake",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "140ff07d9a830c0a4efce96827727fabc31533b7",
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "JDWP-Handshake",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"evidence_snippet": "JDWP-Handshake",
"attack_vector": "port 143 tcp \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 55%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 55,
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "imap",
"service_label_fr": "IMAP",
"dst_port": 143,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-imap",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "JDWP-Handshake",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"attack_vector": "port 143 tcp \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"evidence_snippet": "JDWP-Handshake",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "imap",
"service_banner": "honeypot-imap",
"service_os": "linux",
"dst_port": "143"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"imap_emulated",
"net_bruteforce_burst",
"net_pop3_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
143 · IMAP
|
imap
|
Sonde Java RMI
java rmi probe · via IMAP:143 · (sonde / probe)
|
Élevée
|
Faible · 32
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
IMAP
WAF
—
Recommandation
Surveiller
Tags
imap_emulated
net_bruteforce_burst
net_pop3_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
143
Chemin / cible
—
Service
IMAP
Payload
JRMI��K
Pourquoi cette classification : Rafale d'authentification SSH · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 32
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0604
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Java RMI JRMI
User-Agent
—
Règles WAF
—
Payload (extrait)
JRMI��K
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "2a204f4b20494d41503420686f6e6579706f742072656164790d0a",
"emulator_response_len": 27,
"bytes_in": 7,
"payload_entropy": 2.807354922057604,
"port_category": "well_known",
"org": "Google LLC",
"service": "imap",
"app_proto": "imap",
"asn": 396982,
"country": "BE",
"dst_port": 143,
"risk_waf": 8,
"risk_classification": 56,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.1,
"risk_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 32,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "ba54c69867e6b8120ca43682f345981a8ad648a8",
"event_fingerprint": "2aee505ca8261046f5734d427b2e1084c257e862",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0604"
],
"kb_rule_ids": [
"pat-0604"
],
"matched_patterns": [
"pat-0604"
],
"matched_pattern_names": [
"Java RMI JRMI"
],
"pattern_ids": [
"pat-0604"
],
"confidence_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 32
},
"named_classification_skipped": false,
"service_name": "imap",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "d8c49a0f759e2102fb8fa8368049d06a",
"path_pattern_hash": "7a566ca86213ccd15a91c0b5a885a24f"
},
"target_context": {
"dst_port": 143,
"service": "imap",
"service_name": "imap",
"risk_score": 32
},
"payload_preview": "JRMI\u0000\u0002K",
"request_sample": "JRMI\u0000\u0002K",
"payload_snippet": "JRMI\u0000\u0002K",
"evidence": {
"request_sample": "JRMI\u0000\u0002K",
"payload_snippet": "JRMI\u0000\u0002K",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"enterprise_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "854c96eb854a5f277e207f29dd59910f8da36d6d",
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "JRMI\u0000\u0002K",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"evidence_snippet": "JRMIK",
"attack_vector": "java rmi probe \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 49%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 32\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 32
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 32,
"risk_label": "Faible",
"service_name": "imap",
"service_label_fr": "IMAP",
"dst_port": 143,
"protocol_emulated": true,
"tags_summary": [
"pat-0604"
],
"tags_summary_labels_fr": [
"pat-0604"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-imap",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "JRMI\u0000\u0002K",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"attack_vector": "java rmi probe \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"evidence_snippet": "JRMIK",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "imap",
"service_banner": "honeypot-imap",
"service_os": "linux",
"dst_port": "143"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"imap_emulated",
"net_bruteforce_burst",
"net_pop3_probe"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 2,
"behavior_priority": 72
}
|
|
|
TCP |
143 · IMAP
|
imap
|
mqtt probe
mqtt probe · via IMAP:143 · (sonde / probe)
|
Élevée
|
Moyen · 49
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
IMAP
WAF
—
Recommandation
Surveiller
Tags
imap_emulated
mqtt_connect
net_bruteforce_burst
net_pop3_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
143
Chemin / cible
—
Service
IMAP
Payload
����MQTT���<���AAAAA
Pourquoi cette classification : Rafale d'authentification SSH · confiance 97%
Confiance classification
97%
Risque capteur
Moyen
· 49
Confiance : Confiance 97 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0373
pat-0615
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
MQTT protocol
MQTT alt CONNECT
Minecraft varint handshake
User-Agent
—
Règles WAF
—
Payload (extrait)
����MQTT���<���AAAAA
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "2a204f4b20494d41503420686f6e6579706f742072656164790d0a",
"emulator_response_len": 27,
"bytes_in": 20,
"payload_entropy": 3.1414460711655217,
"port_category": "well_known",
"org": "Google LLC",
"service": "imap",
"app_proto": "imap",
"asn": 396982,
"country": "BE",
"dst_port": 143,
"risk_waf": 8,
"risk_classification": 54,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.4,
"risk_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 49,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "87f83c059f12c06c6f8d0af47ce2bedaaa4df77d",
"event_fingerprint": "2aee505ca8261046f5734d427b2e1084c257e862",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 97%",
"confidence": 0.97,
"classification_confidence": 0.97,
"precision_score": 110,
"precision_signals": [
"pat-0373",
"pat-0615"
],
"kb_rule_ids": [
"pat-0373",
"pat-0615"
],
"matched_patterns": [
"pat-0373",
"pat-0615",
"pat-0554"
],
"matched_pattern_names": [
"MQTT protocol",
"MQTT alt CONNECT",
"Minecraft varint handshake"
],
"pattern_ids": [
"pat-0373",
"pat-0615",
"pat-0554"
],
"confidence_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 49
},
"named_classification_skipped": false,
"service_name": "imap",
"risk_confidence_factor": 97,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "8cbaa0e25147458ba5f5f0e8603c4f19",
"path_pattern_hash": "4449b927317468afa12a2f935a413459"
},
"target_context": {
"dst_port": 143,
"service": "imap",
"service_name": "imap",
"risk_score": 49
},
"payload_preview": "\u0010\u0012\u0000\u0004MQTT\u0005\u0002\u0000<\u0000\u0000\u0005AAAAA",
"request_sample": "\u0010\u0012\u0000\u0004MQTT\u0005\u0002\u0000<\u0000\u0000\u0005AAAAA",
"payload_snippet": "\u0010\u0012\u0000\u0004MQTT\u0005\u0002\u0000<\u0000\u0000\u0005AAAAA",
"evidence": {
"request_sample": "\u0010\u0012\u0000\u0004MQTT\u0005\u0002\u0000<\u0000\u0000\u0005AAAAA",
"payload_snippet": "\u0010\u0012\u0000\u0004MQTT\u0005\u0002\u0000<\u0000\u0000\u0005AAAAA",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 97%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "11fa1eb384becec722198043f70a82d1505a7e32",
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "\u0010\u0012\u0000\u0004MQTT\u0005\u0002\u0000<\u0000\u0000\u0005AAAAA",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"evidence_snippet": "MQTT<AAAAA",
"attack_vector": "mqtt probe \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 97 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 97%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 97%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100",
"confidence_pct": 97,
"confidence_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 49
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 49,
"risk_label": "Moyen",
"service_name": "imap",
"service_label_fr": "IMAP",
"dst_port": 143,
"protocol_emulated": true,
"tags_summary": [
"pat-0373",
"pat-0615"
],
"tags_summary_labels_fr": [
"pat-0373",
"pat-0615"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-imap",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "\u0010\u0012\u0000\u0004MQTT\u0005\u0002\u0000<\u0000\u0000\u0005AAAAA",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"attack_vector": "mqtt probe \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"evidence_snippet": "MQTT<AAAAA",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 97 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 97 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "imap",
"service_banner": "honeypot-imap",
"service_os": "linux",
"dst_port": "143"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"imap_emulated",
"mqtt_connect",
"net_bruteforce_burst",
"net_pop3_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
143 · IMAP
|
imap
|
Sonde port 143/TCP
port 143 tcp · via IMAP:143 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
IMAP
WAF
—
Recommandation
Surveiller
Tags
imap_emulated
net_bruteforce_burst
net_pop3_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
143
Chemin / cible
—
Preuve honeypot — Sonde port 143/TCP
Connexion détectée sur le port 143 (TCP) du capteur simulé.
Service
IMAP
Payload
@RSYTCD: 29
Pourquoi cette classification : Rafale d'authentification SSH · confiance 55%
Confiance classification
55%
Risque capteur
Faible
· 38
Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
@RSYTCD: 29
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "2a204f4b20494d41503420686f6e6579706f742072656164790d0a",
"emulator_response_len": 27,
"bytes_in": 12,
"payload_entropy": 3.584962500721156,
"port_category": "well_known",
"org": "Google LLC",
"service": "imap",
"app_proto": "imap",
"asn": 396982,
"country": "BE",
"dst_port": 143,
"risk_waf": 8,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.1,
"risk_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 38,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "ba54c69867e6b8120ca43682f345981a8ad648a8",
"event_fingerprint": "2aee505ca8261046f5734d427b2e1084c257e862",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "pop3_probe",
"service_name": "imap",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "b2993d6e4414a846683a71de5eb18653",
"path_pattern_hash": "a16ceff6d669b3e29397887a084460a7"
},
"target_context": {
"dst_port": 143,
"service": "imap",
"service_name": "imap",
"risk_score": 38
},
"payload_preview": "@RSYTCD: 29\n",
"request_sample": "@RSYTCD: 29\n",
"payload_snippet": "@RSYTCD: 29",
"evidence": {
"request_sample": "@RSYTCD: 29\n",
"payload_snippet": "@RSYTCD: 29",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "3d5f192ebb06587acea73aaa1ec1472e18a07c5a",
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "@RSYTCD: 29",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"evidence_snippet": "@RSYTCD: 29",
"attack_vector": "port 143 tcp \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 55%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 55,
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "imap",
"service_label_fr": "IMAP",
"dst_port": 143,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-imap",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "@RSYTCD: 29",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"attack_vector": "port 143 tcp \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"evidence_snippet": "@RSYTCD: 29",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "imap",
"service_banner": "honeypot-imap",
"service_os": "linux",
"dst_port": "143"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"imap_emulated",
"net_bruteforce_burst",
"net_pop3_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
143 · IMAP
|
imap
|
oracle tns probe
oracle tns probe · via IMAP:143 · (sonde / probe)
|
Élevée
|
Moyen · 45
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
IMAP
WAF
—
Recommandation
Surveiller
Tags
imap_emulated
net_bruteforce_burst
net_pop3_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
143
Chemin / cible
—
Service
IMAP
Payload
���������<�,�������������:������������������������������(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123
Pourquoi cette classification : Rafale d'authentification SSH · confiance 47%
Confiance classification
47%
Confiance modérée — signal unique
Risque capteur
Moyen
· 45
Confiance : Confiance 47 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0520
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Oracle TNS connect
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������<�,�������������:������������������������������(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123
Requête brute (extrait)
��������<�,�������������:������������������������������(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123-a-a-bc-asdf)(CID=(PROGRAM=sqlplus)(HOST=__jdbc__)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=62.3.50.33)(PORT=143)))
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "2a204f4b20494d41503420686f6e6579706f742072656164790d0a",
"emulator_response_len": 27,
"bytes_in": 239,
"payload_entropy": 5.132703487286676,
"port_category": "well_known",
"org": "Google LLC",
"service": "imap",
"app_proto": "imap",
"asn": 396982,
"country": "BE",
"dst_port": 143,
"risk_waf": 8,
"risk_classification": 54,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.1,
"risk_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 45,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "ba54c69867e6b8120ca43682f345981a8ad648a8",
"event_fingerprint": "2aee505ca8261046f5734d427b2e1084c257e862",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 47%",
"confidence": 0.47,
"classification_confidence": 0.47,
"precision_score": 56,
"precision_signals": [
"pat-0520"
],
"kb_rule_ids": [
"pat-0520"
],
"matched_patterns": [
"pat-0520",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Oracle TNS connect",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0520",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 45
},
"named_classification_skipped": false,
"service_name": "imap",
"risk_confidence_factor": 47,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "f07d2061a2dce4f6d094cec701a62767",
"path_pattern_hash": "420e91c120535c16728a9791d446fafc"
},
"target_context": {
"dst_port": 143,
"service": "imap",
"service_name": "imap",
"risk_score": 45
},
"payload_preview": "\u0000\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0001<\u0001,\u0000\u0000\ufffd\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000\ufffd\u0000:\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123",
"request_sample": "\u0000\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0001<\u0001,\u0000\u0000\ufffd\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000\ufffd\u0000:\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123-a-a-bc-asdf)(CID=(PROGRAM=sqlplus)(HOST=__jdbc__)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=62.3.50.33)(PORT=143)))",
"payload_snippet": "\u0000\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0001<\u0001,\u0000\u0000\ufffd\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000\ufffd\u0000:\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123",
"evidence": {
"request_sample": "\u0000\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0001<\u0001,\u0000\u0000\ufffd\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000\ufffd\u0000:\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123-a-a-bc-asdf)(CID=(PROGRAM=sqlplus)(HOST=__jdbc__)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=62.3.50.33)(PORT=143)))",
"payload_snippet": "\u0000\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0001<\u0001,\u0000\u0000\ufffd\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000\ufffd\u0000:\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 47%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ee714826d3b83726aedd3c8b6f1f54cadb45e8ce",
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "\u0000\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0001<\u0001,\u0000\u0000\ufffd\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000\ufffd\u0000:\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"evidence_snippet": "\ufffd<,\ufffd\ufffd\ufffd:(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123",
"attack_vector": "oracle tns probe \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 47 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 47%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 47%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 47,
"confidence_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 45
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "imap",
"service_label_fr": "IMAP",
"dst_port": 143,
"protocol_emulated": true,
"tags_summary": [
"pat-0520"
],
"tags_summary_labels_fr": [
"pat-0520"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-imap",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "\u0000\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0001<\u0001,\u0000\u0000\ufffd\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000\ufffd\u0000:\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"attack_vector": "oracle tns probe \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd<,\ufffd\ufffd\ufffd:(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 47 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 47 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "imap",
"service_banner": "honeypot-imap",
"service_os": "linux",
"dst_port": "143"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"imap_emulated",
"net_bruteforce_burst",
"net_pop3_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
143 · IMAP
|
imap
|
Protocole TDS MSSQL
mssql tds · via IMAP:143 · (sonde / probe)
|
Élevée
|
Faible · 32
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
IMAP
WAF
—
Recommandation
Surveiller
Tags
imap_emulated
net_bruteforce_burst
net_pop3_probe
postgres_startup
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
143
Chemin / cible
—
Service
IMAP
Payload
���T����user�postgres�database�postgres�application_name�psql�client_encoding�UTF8��
Pourquoi cette classification : Rafale d'authentification SSH · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 32
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0356
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
RDP TPKT header
MSSQL TDS prelogin
ET H.323 setup
Minecraft varint handshake
User-Agent
—
Règles WAF
—
Payload (extrait)
T����user�postgres�database�postgres�application_name�psql�client_encoding�UTF8
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "2a204f4b20494d41503420686f6e6579706f742072656164790d0a",
"emulator_response_len": 27,
"bytes_in": 84,
"payload_entropy": 4.139167728978457,
"port_category": "well_known",
"org": "Google LLC",
"service": "imap",
"app_proto": "imap",
"asn": 396982,
"country": "BE",
"dst_port": 143,
"risk_waf": 8,
"risk_classification": 56,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 10,
"risk_boost": 0,
"risk_granularity": 4.8,
"risk_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 10
},
"risk_score": 32,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "53d96c2bc3c802d2bc946b9ed73e513b670dac7f",
"event_fingerprint": "2aee505ca8261046f5734d427b2e1084c257e862",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0356"
],
"kb_rule_ids": [
"pat-0356"
],
"matched_patterns": [
"pat-0348",
"pat-0356",
"pat-0868",
"pat-0554"
],
"matched_pattern_names": [
"RDP TPKT header",
"MSSQL TDS prelogin",
"ET H.323 setup",
"Minecraft varint handshake"
],
"pattern_ids": [
"pat-0348",
"pat-0356",
"pat-0868",
"pat-0554"
],
"confidence_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 10,
"risk_score": 32
},
"named_classification_skipped": false,
"service_name": "imap",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "94e606a42613d0ef095b8001a98bf6ed",
"path_pattern_hash": "285321e27377a1f85e5a231ca6cbffb2"
},
"target_context": {
"dst_port": 143,
"service": "imap",
"service_name": "imap",
"risk_score": 32
},
"payload_preview": "\u0000\u0000\u0000T\u0000\u0003\u0000\u0000user\u0000postgres\u0000database\u0000postgres\u0000application_name\u0000psql\u0000client_encoding\u0000UTF8\u0000\u0000",
"request_sample": "\u0000\u0000\u0000T\u0000\u0003\u0000\u0000user\u0000postgres\u0000database\u0000postgres\u0000application_name\u0000psql\u0000client_encoding\u0000UTF8\u0000\u0000",
"payload_snippet": "\u0000\u0000\u0000T\u0000\u0003\u0000\u0000user\u0000postgres\u0000database\u0000postgres\u0000application_name\u0000psql\u0000client_encoding\u0000UTF8\u0000\u0000",
"evidence": {
"request_sample": "\u0000\u0000\u0000T\u0000\u0003\u0000\u0000user\u0000postgres\u0000database\u0000postgres\u0000application_name\u0000psql\u0000client_encoding\u0000UTF8\u0000\u0000",
"payload_snippet": "\u0000\u0000\u0000T\u0000\u0003\u0000\u0000user\u0000postgres\u0000database\u0000postgres\u0000application_name\u0000psql\u0000client_encoding\u0000UTF8\u0000\u0000",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "91f74aa0f069bac342b5ba2981a7db41170a545f",
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "\u0000\u0000\u0000T\u0000\u0003\u0000\u0000user\u0000postgres\u0000database\u0000postgres\u0000application_name\u0000psql\u0000client_encoding\u0000UTF8\u0000\u0000",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"evidence_snippet": "Tuserpostgresdatabasepostgresapplication_namepsqlclient_encodingUTF8",
"attack_vector": "mssql tds \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 49%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 32\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 10,
"risk_score": 32
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 32,
"risk_label": "Faible",
"service_name": "imap",
"service_label_fr": "IMAP",
"dst_port": 143,
"protocol_emulated": true,
"tags_summary": [
"pat-0356"
],
"tags_summary_labels_fr": [
"pat-0356"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-imap",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "\u0000\u0000\u0000T\u0000\u0003\u0000\u0000user\u0000postgres\u0000database\u0000postgres\u0000application_name\u0000psql\u0000client_encoding\u0000UTF8\u0000\u0000",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"attack_vector": "mssql tds \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"evidence_snippet": "Tuserpostgresdatabasepostgresapplication_namepsqlclient_encodingUTF8",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "imap",
"service_banner": "honeypot-imap",
"service_os": "linux",
"dst_port": "143"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"imap_emulated",
"net_bruteforce_burst",
"net_pop3_probe",
"postgres_startup",
"postgresql_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
143 · IMAP
|
imap
|
Sonde RTSP
rtsp probe · via IMAP:143 · (sonde / probe)
|
Élevée
|
Moyen · 42
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
IMAP
WAF
—
Recommandation
Surveiller
Tags
imap_emulated
net_bruteforce_burst
net_pop3_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
143
Chemin / cible
—
Service
IMAP
Payload
OPTIONS rtsp://example.com RTSP/1.0 Cseq: 917
Pourquoi cette classification : Rafale d'authentification SSH · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Moyen
· 42
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0382
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
LFI Double-dot bypass
RTSP protocol
HTTP OPTIONS method
User-Agent
—
Règles WAF
—
Payload (extrait)
OPTIONS rtsp://example.com RTSP/1.0
Cseq: 917
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "2a204f4b20494d41503420686f6e6579706f742072656164790d0a",
"emulator_response_len": 27,
"bytes_in": 50,
"payload_entropy": 4.768367439558379,
"port_category": "well_known",
"org": "Google LLC",
"service": "imap",
"app_proto": "imap",
"asn": 396982,
"country": "BE",
"dst_port": 143,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.1,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "ba54c69867e6b8120ca43682f345981a8ad648a8",
"event_fingerprint": "2aee505ca8261046f5734d427b2e1084c257e862",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0382"
],
"kb_rule_ids": [
"pat-0382"
],
"matched_patterns": [
"pat-0103",
"pat-0382",
"pat-0420"
],
"matched_pattern_names": [
"LFI Double-dot bypass",
"RTSP protocol",
"HTTP OPTIONS method"
],
"pattern_ids": [
"pat-0103",
"pat-0382",
"pat-0420"
],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42
},
"named_classification_skipped": false,
"service_name": "imap",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "005808694f6e25a8bf22fd9e5b864e9d",
"path_pattern_hash": "b1dd2a100b4c2489a836875293183168"
},
"target_context": {
"dst_port": 143,
"service": "imap",
"service_name": "imap",
"risk_score": 42
},
"payload_preview": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 917\r\n\r\n",
"request_sample": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 917\r\n\r\n",
"payload_snippet": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 917",
"evidence": {
"request_sample": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 917\r\n\r\n",
"payload_snippet": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 917",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9dd7d0f334a9044915e85e60838ed47459a9d856",
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 917",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"evidence_snippet": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 917",
"attack_vector": "rtsp probe \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 49%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "imap",
"service_label_fr": "IMAP",
"dst_port": 143,
"protocol_emulated": true,
"tags_summary": [
"pat-0382"
],
"tags_summary_labels_fr": [
"pat-0382"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-imap",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 917",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"attack_vector": "rtsp probe \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"evidence_snippet": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 917",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "imap",
"service_banner": "honeypot-imap",
"service_os": "linux",
"dst_port": "143"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"imap_emulated",
"net_bruteforce_burst",
"net_pop3_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
143 · IMAP
|
imap
|
Sonde Kafka
kafka probe · via IMAP:143 · (sonde / probe)
|
Élevée
|
Faible · 32
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
IMAP
WAF
—
Recommandation
Surveiller
Tags
imap_emulated
net_bruteforce_burst
net_pop3_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
143
Chemin / cible
—
Service
IMAP
Payload
���C�����3���consumer-Offset Explorer 2.2-18��apache-kafka-java�2.4.0�
Pourquoi cette classification : Rafale d'authentification SSH · confiance 47%
Confiance classification
47%
Confiance modérée — signal unique
Risque capteur
Faible
· 32
Confiance : Confiance 47 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0556
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Kafka ApiVersions key
Minecraft varint handshake
User-Agent
—
Règles WAF
—
Payload (extrait)
C�����3���consumer-Offset Explorer 2.2-18��apache-kafka-java�2.4.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "2a204f4b20494d41503420686f6e6579706f742072656164790d0a",
"emulator_response_len": 27,
"bytes_in": 71,
"payload_entropy": 4.83906190787142,
"port_category": "well_known",
"org": "Google LLC",
"service": "imap",
"app_proto": "imap",
"asn": 396982,
"country": "BE",
"dst_port": 143,
"risk_waf": 8,
"risk_classification": 56,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.1,
"risk_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 32,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "ba54c69867e6b8120ca43682f345981a8ad648a8",
"event_fingerprint": "2aee505ca8261046f5734d427b2e1084c257e862",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 47%",
"confidence": 0.47,
"classification_confidence": 0.47,
"precision_score": 56,
"precision_signals": [
"pat-0556"
],
"kb_rule_ids": [
"pat-0556"
],
"matched_patterns": [
"pat-0556",
"pat-0554"
],
"matched_pattern_names": [
"Kafka ApiVersions key",
"Minecraft varint handshake"
],
"pattern_ids": [
"pat-0556",
"pat-0554"
],
"confidence_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 32
},
"named_classification_skipped": false,
"service_name": "imap",
"risk_confidence_factor": 47,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "d9bcc621186ef441cc445f2b3dbd5f10",
"path_pattern_hash": "369bfdf011acc5969bcb68a7ffd2ca13"
},
"target_context": {
"dst_port": 143,
"service": "imap",
"service_name": "imap",
"risk_score": 32
},
"payload_preview": "\u0000\u0000\u0000C\u0000\u0012\u0000\u0000\u001e3\ufffd\u0000\u001fconsumer-Offset Explorer 2.2-18\u0000\u0012apache-kafka-java\u00062.4.0\u0000",
"request_sample": "\u0000\u0000\u0000C\u0000\u0012\u0000\u0000\u001e3\ufffd\u0000\u001fconsumer-Offset Explorer 2.2-18\u0000\u0012apache-kafka-java\u00062.4.0\u0000",
"payload_snippet": "\u0000\u0000\u0000C\u0000\u0012\u0000\u0000\u001e3\ufffd\u0000\u001fconsumer-Offset Explorer 2.2-18\u0000\u0012apache-kafka-java\u00062.4.0\u0000",
"evidence": {
"request_sample": "\u0000\u0000\u0000C\u0000\u0012\u0000\u0000\u001e3\ufffd\u0000\u001fconsumer-Offset Explorer 2.2-18\u0000\u0012apache-kafka-java\u00062.4.0\u0000",
"payload_snippet": "\u0000\u0000\u0000C\u0000\u0012\u0000\u0000\u001e3\ufffd\u0000\u001fconsumer-Offset Explorer 2.2-18\u0000\u0012apache-kafka-java\u00062.4.0\u0000",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 47%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"enterprise_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "845b5e85cea817fc3dad590779d1209445f8a149",
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "\u0000\u0000\u0000C\u0000\u0012\u0000\u0000\u001e3\ufffd\u0000\u001fconsumer-Offset Explorer 2.2-18\u0000\u0012apache-kafka-java\u00062.4.0\u0000",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"evidence_snippet": "C3\ufffdconsumer-Offset Explorer 2.2-18apache-kafka-java2.4.0",
"attack_vector": "kafka probe \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 47 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 47%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 47%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 32\/100",
"confidence_pct": 47,
"confidence_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 32
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 32,
"risk_label": "Faible",
"service_name": "imap",
"service_label_fr": "IMAP",
"dst_port": 143,
"protocol_emulated": true,
"tags_summary": [
"pat-0556"
],
"tags_summary_labels_fr": [
"pat-0556"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-imap",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "\u0000\u0000\u0000C\u0000\u0012\u0000\u0000\u001e3\ufffd\u0000\u001fconsumer-Offset Explorer 2.2-18\u0000\u0012apache-kafka-java\u00062.4.0\u0000",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"attack_vector": "kafka probe \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"evidence_snippet": "C3\ufffdconsumer-Offset Explorer 2.2-18apache-kafka-java2.4.0",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 47 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 47 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "imap",
"service_banner": "honeypot-imap",
"service_os": "linux",
"dst_port": "143"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"imap_emulated",
"net_bruteforce_burst",
"net_pop3_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
143 · IMAP
|
imap
|
Sonde port 143/TCP
port 143 tcp · via IMAP:143 · (sonde / probe)
|
Élevée
|
Moyen · 40
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
IMAP
WAF
—
Recommandation
Surveiller
Tags
imap_emulated
net_bruteforce_burst
net_pop3_probe
postgres_startup
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
143
Chemin / cible
—
Preuve honeypot — Sonde port 143/TCP
Connexion détectée sur le port 143 (TCP) du capteur simulé.
Service
IMAP
Payload
���#�����3�� adminclient-5������6UhCJe
Pourquoi cette classification : Rafale d'authentification SSH · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Moyen
· 40
Confiance : Confiance 49 % — Motif catalogue confirmé · Classification nommée non retenue — preuves insuffisantes
Protocole émulé
1
Signaux
pat-0348
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
RDP TPKT header
ET H.323 setup
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
#�����3��
adminclient-5������6UhCJe
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "2a204f4b20494d41503420686f6e6579706f742072656164790d0a",
"emulator_response_len": 27,
"bytes_in": 39,
"payload_entropy": 4.155818941810702,
"port_category": "well_known",
"org": "Google LLC",
"service": "imap",
"app_proto": "imap",
"asn": 396982,
"country": "BE",
"dst_port": 143,
"risk_waf": 8,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 10,
"risk_boost": 0,
"risk_granularity": 4.8,
"risk_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 10
},
"risk_score": 40,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "53d96c2bc3c802d2bc946b9ed73e513b670dac7f",
"event_fingerprint": "2aee505ca8261046f5734d427b2e1084c257e862",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0348"
],
"kb_rule_ids": [
"pat-0348"
],
"matched_patterns": [
"pat-0348",
"pat-0868",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"RDP TPKT header",
"ET H.323 setup",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0348",
"pat-0868",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 10,
"risk_score": 40
},
"named_classification_skipped": true,
"named_candidate": "rdp_probe",
"service_name": "imap",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "967fc234a7e852d983c05ffd922c6d5d",
"path_pattern_hash": "a16ceff6d669b3e29397887a084460a7"
},
"target_context": {
"dst_port": 143,
"service": "imap",
"service_name": "imap",
"risk_score": 40
},
"payload_preview": "\u0000\u0000\u0000#\u0000\u0003\u0000\u0000\u001e3\ufffd\u0000\radminclient-5\u0000\u0000\u0000\u0001\u0000\u00066UhCJe",
"request_sample": "\u0000\u0000\u0000#\u0000\u0003\u0000\u0000\u001e3\ufffd\u0000\radminclient-5\u0000\u0000\u0000\u0001\u0000\u00066UhCJe",
"payload_snippet": "\u0000\u0000\u0000#\u0000\u0003\u0000\u0000\u001e3\ufffd\u0000\radminclient-5\u0000\u0000\u0000\u0001\u0000\u00066UhCJe",
"evidence": {
"request_sample": "\u0000\u0000\u0000#\u0000\u0003\u0000\u0000\u001e3\ufffd\u0000\radminclient-5\u0000\u0000\u0000\u0001\u0000\u00066UhCJe",
"payload_snippet": "\u0000\u0000\u0000#\u0000\u0003\u0000\u0000\u001e3\ufffd\u0000\radminclient-5\u0000\u0000\u0000\u0001\u0000\u00066UhCJe",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "bfe3202c353ea240a2bdd3a802c57a5b859567cd",
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "\u0000\u0000\u0000#\u0000\u0003\u0000\u0000\u001e3\ufffd\u0000\radminclient-5\u0000\u0000\u0000\u0001\u0000\u00066UhCJe",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"evidence_snippet": "#3\ufffd\radminclient-56UhCJe",
"attack_vector": "port 143 tcp \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 49%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 10,
"risk_score": 40
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 40,
"risk_label": "Moyen",
"service_name": "imap",
"service_label_fr": "IMAP",
"dst_port": 143,
"protocol_emulated": true,
"tags_summary": [
"pat-0348"
],
"tags_summary_labels_fr": [
"pat-0348"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-imap",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "\u0000\u0000\u0000#\u0000\u0003\u0000\u0000\u001e3\ufffd\u0000\radminclient-5\u0000\u0000\u0000\u0001\u0000\u00066UhCJe",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"attack_vector": "port 143 tcp \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"evidence_snippet": "#3\ufffd\radminclient-56UhCJe",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "imap",
"service_banner": "honeypot-imap",
"service_os": "linux",
"dst_port": "143"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"imap_emulated",
"net_bruteforce_burst",
"net_pop3_probe",
"postgres_startup",
"postgresql_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
143 · IMAP
|
imap
|
Sonde port 143/TCP
port 143 tcp · via IMAP:143 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
IMAP
WAF
—
Recommandation
Surveiller
Tags
imap_emulated
net_bruteforce_burst
net_pop3_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
143
Chemin / cible
—
Preuve honeypot — Sonde port 143/TCP
Connexion détectée sur le port 143 (TCP) du capteur simulé.
Pourquoi cette classification : Rafale d'authentification SSH · confiance 55%
Confiance classification
55%
Risque capteur
Faible
· 38
Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "2a204f4b20494d41503420686f6e6579706f742072656164790d0a",
"emulator_response_len": 27,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "well_known",
"org": "Google LLC",
"service": "imap",
"app_proto": "imap",
"asn": 396982,
"country": "BE",
"dst_port": 143,
"risk_waf": 8,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.1,
"risk_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 38,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "ba54c69867e6b8120ca43682f345981a8ad648a8",
"event_fingerprint": "2aee505ca8261046f5734d427b2e1084c257e862",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "pop3_probe",
"service_name": "imap",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "a16ceff6d669b3e29397887a084460a7"
},
"target_context": {
"dst_port": 143,
"service": "imap",
"service_name": "imap",
"risk_score": 38
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f35954ffee4d153a3e26ff4215a9c5f15c6ad9bb",
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"attack_vector": "port 143 tcp \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 55%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 55,
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "imap",
"service_label_fr": "IMAP",
"dst_port": 143,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-imap",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"attack_vector": "port 143 tcp \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "imap",
"service_banner": "honeypot-imap",
"service_os": "linux",
"dst_port": "143"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"imap_emulated",
"net_bruteforce_burst",
"net_pop3_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
143 · IMAP
|
imap
|
Protocole TDS MSSQL
mssql tds · via IMAP:143 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
IMAP
WAF
—
Recommandation
Surveiller
Tags
imap_emulated
mssql_tds
net_bruteforce_burst
net_mssql_tds
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
143
Chemin / cible
—
Service
IMAP
Payload
���X�����������%����&����'����+����,�$�� ��������������\�k��٪<�K�{��\2!$���7�b9JF,�����
Pourquoi cette classification : Rafale d'authentification SSH · confiance 95%
Confiance classification
95%
Risque capteur
Faible
· 35
Confiance : Confiance 95 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0519
Upstream
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
MSSQL TDS prelogin
Mumble ping
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
���X�����������%����&����'����+����,�$�� ��������������\�k��٪<�K�{��\2!$���7�b9JF,�
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "2a204f4b20494d41503420686f6e6579706f742072656164790d0a",
"emulator_response_len": 27,
"bytes_in": 88,
"payload_entropy": 4.354527413223707,
"port_category": "well_known",
"org": "Google LLC",
"service": "imap",
"app_proto": "imap",
"asn": 396982,
"country": "BE",
"dst_port": 143,
"risk_waf": 8,
"risk_classification": 56,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.4,
"risk_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 35,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "cfdd4ec2cc93a8c93c3be7695135bf3fe86cf9d4",
"event_fingerprint": "4bb344bb255ff1a3c57aa6fef8d8d17789d2129d",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 83,
"precision_signals": [
"pat-0519",
"INT-upstream"
],
"kb_rule_ids": [
"pat-0519",
"INT-upstream"
],
"matched_patterns": [
"pat-0519",
"pat-0768",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"MSSQL TDS prelogin",
"Mumble ping",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0519",
"pat-0768",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "imap",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "0efe38694fbb4cc2af819186b5e9ae9e",
"path_pattern_hash": "285321e27377a1f85e5a231ca6cbffb2"
},
"target_context": {
"dst_port": 143,
"service": "imap",
"service_name": "imap",
"risk_score": 35
},
"payload_preview": "\u0012\u0001\u0000X\u0000\u0000\u0001\u0000\u0000\u0000\u001f\u0000\u0006\u0001\u0000%\u0000\u0001\u0002\u0000&\u0000\u0001\u0003\u0000'\u0000\u0004\u0004\u0000+\u0000\u0001\u0005\u0000,\u0000$\ufffd\u0011\t\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u001f\u066a<\u0013K\ufffd{\ufffd\u0003\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\u0000\u0000\u0000\u0000",
"request_sample": "\u0012\u0001\u0000X\u0000\u0000\u0001\u0000\u0000\u0000\u001f\u0000\u0006\u0001\u0000%\u0000\u0001\u0002\u0000&\u0000\u0001\u0003\u0000'\u0000\u0004\u0004\u0000+\u0000\u0001\u0005\u0000,\u0000$\ufffd\u0011\t\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u001f\u066a<\u0013K\ufffd{\ufffd\u0003\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\u0000\u0000\u0000\u0000",
"payload_snippet": "\u0012\u0001\u0000X\u0000\u0000\u0001\u0000\u0000\u0000\u001f\u0000\u0006\u0001\u0000%\u0000\u0001\u0002\u0000&\u0000\u0001\u0003\u0000'\u0000\u0004\u0004\u0000+\u0000\u0001\u0005\u0000,\u0000$\ufffd\u0011\t\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u001f\u066a<\u0013K\ufffd{\ufffd\u0003\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\u0000\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0012\u0001\u0000X\u0000\u0000\u0001\u0000\u0000\u0000\u001f\u0000\u0006\u0001\u0000%\u0000\u0001\u0002\u0000&\u0000\u0001\u0003\u0000'\u0000\u0004\u0004\u0000+\u0000\u0001\u0005\u0000,\u0000$\ufffd\u0011\t\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u001f\u066a<\u0013K\ufffd{\ufffd\u0003\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\u0000\u0000\u0000\u0000",
"payload_snippet": "\u0012\u0001\u0000X\u0000\u0000\u0001\u0000\u0000\u0000\u001f\u0000\u0006\u0001\u0000%\u0000\u0001\u0002\u0000&\u0000\u0001\u0003\u0000'\u0000\u0004\u0004\u0000+\u0000\u0001\u0005\u0000,\u0000$\ufffd\u0011\t\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u001f\u066a<\u0013K\ufffd{\ufffd\u0003\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\u0000\u0000\u0000\u0000",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6ca903b9bc55e46f1c7607d3ef0644dea21f6815",
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "\u0012\u0001\u0000X\u0000\u0000\u0001\u0000\u0000\u0000\u001f\u0000\u0006\u0001\u0000%\u0000\u0001\u0002\u0000&\u0000\u0001\u0003\u0000'\u0000\u0004\u0004\u0000+\u0000\u0001\u0005\u0000,\u0000$\ufffd\u0011\t\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u001f\u066a<\u0013K\ufffd{\ufffd\u0003\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\u0000\u0000\u0000\u0000",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"evidence_snippet": "X%&'+,$\ufffd\t\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u066a<K\ufffd{\ufffd\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd",
"attack_vector": "mssql tds \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "imap",
"service_label_fr": "IMAP",
"dst_port": 143,
"protocol_emulated": true,
"tags_summary": [
"pat-0519",
"INT-upstream"
],
"tags_summary_labels_fr": [
"pat-0519",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-imap",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "\u0012\u0001\u0000X\u0000\u0000\u0001\u0000\u0000\u0000\u001f\u0000\u0006\u0001\u0000%\u0000\u0001\u0002\u0000&\u0000\u0001\u0003\u0000'\u0000\u0004\u0004\u0000+\u0000\u0001\u0005\u0000,\u0000$\ufffd\u0011\t\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u001f\u066a<\u0013K\ufffd{\ufffd\u0003\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\u0000\u0000\u0000\u0000",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"attack_vector": "mssql tds \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"evidence_snippet": "X%&'+,$\ufffd\t\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u066a<K\ufffd{\ufffd\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "imap",
"service_banner": "honeypot-imap",
"service_os": "linux",
"dst_port": "143"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"imap_emulated",
"mssql_tds",
"net_bruteforce_burst",
"net_mssql_tds"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
143 · IMAP
|
imap
|
Sonde port 143/TCP
port 143 tcp · via IMAP:143 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
IMAP
WAF
—
Recommandation
Surveiller
Tags
imap_emulated
net_bruteforce_burst
net_pop3_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
143
Chemin / cible
—
Preuve honeypot — Sonde port 143/TCP
Connexion détectée sur le port 143 (TCP) du capteur simulé.
Service
IMAP
Payload
0:��m���`2�����cn=khchkftmkbhvtchshjvx��khchkftmkbhvtchshjvx
Pourquoi cette classification : Rafale d'authentification SSH · confiance 55%
Confiance classification
55%
Risque capteur
Faible
· 38
Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
0:��m���`2�����cn=khchkftmkbhvtchshjvx��khchkftmkbhvtchshjvx
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "2a204f4b20494d41503420686f6e6579706f742072656164790d0a",
"emulator_response_len": 27,
"bytes_in": 60,
"payload_entropy": 4.321997530111837,
"port_category": "well_known",
"org": "Google LLC",
"service": "imap",
"app_proto": "imap",
"asn": 396982,
"country": "BE",
"dst_port": 143,
"risk_waf": 8,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.1,
"risk_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 38,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "ba54c69867e6b8120ca43682f345981a8ad648a8",
"event_fingerprint": "2aee505ca8261046f5734d427b2e1084c257e862",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "pop3_probe",
"service_name": "imap",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "ad6e1e808b347122a848d70f9054f9a9",
"path_pattern_hash": "a16ceff6d669b3e29397887a084460a7"
},
"target_context": {
"dst_port": 143,
"service": "imap",
"service_name": "imap",
"risk_score": 38
},
"payload_preview": "0:\u0002\u0004m\ufffd\b\u000f`2\u0002\u0001\u0003\u0004\u0017cn=khchkftmkbhvtchshjvx\ufffd\u0014khchkftmkbhvtchshjvx",
"request_sample": "0:\u0002\u0004m\ufffd\b\u000f`2\u0002\u0001\u0003\u0004\u0017cn=khchkftmkbhvtchshjvx\ufffd\u0014khchkftmkbhvtchshjvx",
"payload_snippet": "0:\u0002\u0004m\ufffd\b\u000f`2\u0002\u0001\u0003\u0004\u0017cn=khchkftmkbhvtchshjvx\ufffd\u0014khchkftmkbhvtchshjvx",
"evidence": {
"request_sample": "0:\u0002\u0004m\ufffd\b\u000f`2\u0002\u0001\u0003\u0004\u0017cn=khchkftmkbhvtchshjvx\ufffd\u0014khchkftmkbhvtchshjvx",
"payload_snippet": "0:\u0002\u0004m\ufffd\b\u000f`2\u0002\u0001\u0003\u0004\u0017cn=khchkftmkbhvtchshjvx\ufffd\u0014khchkftmkbhvtchshjvx",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9ee413637992bd04d41a758a195a462ba61cc873",
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "0:\u0002\u0004m\ufffd\b\u000f`2\u0002\u0001\u0003\u0004\u0017cn=khchkftmkbhvtchshjvx\ufffd\u0014khchkftmkbhvtchshjvx",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"evidence_snippet": "0:m\ufffd`2cn=khchkftmkbhvtchshjvx\ufffdkhchkftmkbhvtchshjvx",
"attack_vector": "port 143 tcp \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 55%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 55,
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "imap",
"service_label_fr": "IMAP",
"dst_port": 143,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-imap",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "0:\u0002\u0004m\ufffd\b\u000f`2\u0002\u0001\u0003\u0004\u0017cn=khchkftmkbhvtchshjvx\ufffd\u0014khchkftmkbhvtchshjvx",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"attack_vector": "port 143 tcp \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"evidence_snippet": "0:m\ufffd`2cn=khchkftmkbhvtchshjvx\ufffdkhchkftmkbhvtchshjvx",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "imap",
"service_banner": "honeypot-imap",
"service_os": "linux",
"dst_port": "143"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"imap_emulated",
"net_bruteforce_burst",
"net_pop3_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
143 · IMAP
|
imap
|
imap bruteforce
imap bruteforce · via IMAP:143 · (sonde / probe)
|
Élevée
|
Moyen · 41
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1110
TA0007
TA0001
Protocole
Émulateur
IMAP
WAF
—
Recommandation
Surveiller
Tags
imap_emulated
imap_probe
net_bruteforce_burst
net_pop3_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
143
Chemin / cible
—
Service
IMAP
Payload
7FYWU8I4 CAPABILITY
Pourquoi cette classification : Rafale d'authentification SSH · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 41
Confiance : Confiance 95 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Email Imap Login
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
IMAPS CAPABILITY
User-Agent
—
Règles WAF
—
Payload (extrait)
7FYWU8I4 CAPABILITY
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "2a204f4b20494d41503420686f6e6579706f742072656164790d0a",
"emulator_response_len": 27,
"bytes_in": 21,
"payload_entropy": 3.9754180179138325,
"port_category": "well_known",
"org": "Google LLC",
"service": "imap",
"app_proto": "imap",
"asn": 396982,
"country": "BE",
"dst_port": 143,
"risk_waf": 8,
"risk_classification": 66,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.4,
"risk_breakdown": {
"waf": 8,
"classification": 66,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 41,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "5a93609251623ae2b83496a8a2f385155c1980be",
"event_fingerprint": "2aee505ca8261046f5734d427b2e1084c257e862",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 76,
"precision_signals": [
"INT-EMAIL-imap-login"
],
"kb_rule_ids": [
"INT-EMAIL-imap-login"
],
"matched_patterns": [
"pat-0630"
],
"matched_pattern_names": [
"IMAPS CAPABILITY"
],
"pattern_ids": [
"pat-0630"
],
"confidence_breakdown": {
"waf": 8,
"classification": 66,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 41
},
"named_classification_skipped": false,
"service_name": "imap",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "210d732342bbb058674b699355410444",
"path_pattern_hash": "d01bbf3f52d5029936b2dffb0f5e856f"
},
"target_context": {
"dst_port": 143,
"service": "imap",
"service_name": "imap",
"risk_score": 41
},
"payload_preview": "7FYWU8I4 CAPABILITY\r\n",
"request_sample": "7FYWU8I4 CAPABILITY\r\n",
"payload_snippet": "7FYWU8I4 CAPABILITY",
"evidence": {
"request_sample": "7FYWU8I4 CAPABILITY\r\n",
"payload_snippet": "7FYWU8I4 CAPABILITY",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1110"
],
"mitre": "T1110",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b2340c9a47367154aa86968756016404b0923a47",
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "7FYWU8I4 CAPABILITY",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"evidence_snippet": "7FYWU8I4 CAPABILITY",
"attack_vector": "imap bruteforce \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 41\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 66,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 41
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 41,
"risk_label": "Moyen",
"service_name": "imap",
"service_label_fr": "IMAP",
"dst_port": 143,
"protocol_emulated": true,
"tags_summary": [
"INT-EMAIL-imap-login"
],
"tags_summary_labels_fr": [
"Email Imap Login"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1110",
"mitre_technique": "T1110",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-imap",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "7FYWU8I4 CAPABILITY",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"attack_vector": "imap bruteforce \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"evidence_snippet": "7FYWU8I4 CAPABILITY",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "imap",
"service_banner": "honeypot-imap",
"service_os": "linux",
"dst_port": "143"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"imap_emulated",
"imap_probe",
"net_bruteforce_burst",
"net_pop3_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
143 · IMAP
|
imap
|
Sonde port 143/TCP
port 143 tcp · via IMAP:143 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
IMAP
WAF
—
Recommandation
Surveiller
Tags
imap_emulated
net_bruteforce_burst
net_pop3_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
143
Chemin / cible
—
Preuve honeypot — Sonde port 143/TCP
Connexion détectée sur le port 143 (TCP) du capteur simulé.
Pourquoi cette classification : Rafale d'authentification SSH · confiance 55%
Confiance classification
55%
Risque capteur
Faible
· 38
Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "2a204f4b20494d41503420686f6e6579706f742072656164790d0a",
"emulator_response_len": 27,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "well_known",
"org": "Google LLC",
"service": "imap",
"app_proto": "imap",
"asn": 396982,
"country": "BE",
"dst_port": 143,
"risk_waf": 8,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.1,
"risk_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 38,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "ba54c69867e6b8120ca43682f345981a8ad648a8",
"event_fingerprint": "2aee505ca8261046f5734d427b2e1084c257e862",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "pop3_probe",
"service_name": "imap",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "a16ceff6d669b3e29397887a084460a7"
},
"target_context": {
"dst_port": 143,
"service": "imap",
"service_name": "imap",
"risk_score": 38
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f35954ffee4d153a3e26ff4215a9c5f15c6ad9bb",
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"attack_vector": "port 143 tcp \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 55%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 55,
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "imap",
"service_label_fr": "IMAP",
"dst_port": 143,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-imap",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"attack_vector": "port 143 tcp \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "imap",
"service_banner": "honeypot-imap",
"service_os": "linux",
"dst_port": "143"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"imap_emulated",
"net_bruteforce_burst",
"net_pop3_probe"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 1,
"behavior_priority": 84
}
|
|
|
TCP |
143 · IMAP
|
imap
|
Sonde port 143/TCP
port 143 tcp · via IMAP:143 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
IMAP
WAF
—
Recommandation
Surveiller
Tags
imap_emulated
net_bruteforce
net_pop3_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
143
Chemin / cible
—
Preuve honeypot — Sonde port 143/TCP
Connexion détectée sur le port 143 (TCP) du capteur simulé.
Service
IMAP
Payload
��������������� ���
Pourquoi cette classification : Rafale d'authentification SSH · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 38
Confiance : Confiance 49 % — Motif catalogue confirmé · Classification nommée non retenue — preuves insuffisantes
Protocole émulé
1
Signaux
pat-0348
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
RDP TPKT header
ET H.323 setup
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "2a204f4b20494d41503420686f6e6579706f742072656164790d0a",
"emulator_response_len": 27,
"bytes_in": 19,
"payload_entropy": 1.983740670882855,
"port_category": "well_known",
"org": "Google LLC",
"service": "imap",
"app_proto": "imap",
"asn": 396982,
"country": "BE",
"dst_port": 143,
"risk_waf": 8,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.1,
"risk_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 38,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "2831f3269e13930e4781739399d7e516f78cf168",
"event_fingerprint": "2aee505ca8261046f5734d427b2e1084c257e862",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0348"
],
"kb_rule_ids": [
"pat-0348"
],
"matched_patterns": [
"pat-0348",
"pat-0868",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"RDP TPKT header",
"ET H.323 setup",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0348",
"pat-0868",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "rdp_probe",
"service_name": "imap",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "0003c8efa0acdc0c6540f4bdb920f6bc",
"path_pattern_hash": "a16ceff6d669b3e29397887a084460a7"
},
"target_context": {
"dst_port": 143,
"service": "imap",
"service_name": "imap",
"risk_score": 38
},
"payload_preview": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u000b\u0000\u0000\u0000",
"request_sample": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u000b\u0000\u0000\u0000",
"payload_snippet": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u000b\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u000b\u0000\u0000\u0000",
"payload_snippet": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u000b\u0000\u0000\u0000",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "69086b29d578d08a4de3b2f16887dcf6f85052a1",
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u000b\u0000\u0000\u0000",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"evidence_snippet": "\ufffd",
"attack_vector": "port 143 tcp \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 49%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "imap",
"service_label_fr": "IMAP",
"dst_port": 143,
"protocol_emulated": true,
"tags_summary": [
"pat-0348"
],
"tags_summary_labels_fr": [
"pat-0348"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-imap",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u000b\u0000\u0000\u0000",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"attack_vector": "port 143 tcp \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "imap",
"service_banner": "honeypot-imap",
"service_os": "linux",
"dst_port": "143"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"imap_emulated",
"net_bruteforce",
"net_pop3_probe"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 1,
"behavior_priority": 72
}
|
|
|
TCP |
143 · IMAP
|
imap
|
Sonde port 143/TCP
port 143 tcp · via IMAP:143 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
IMAP
WAF
—
Recommandation
Surveiller
Tags
imap_emulated
net_bruteforce_burst
net_pop3_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
143
Chemin / cible
—
Preuve honeypot — Sonde port 143/TCP
Connexion détectée sur le port 143 (TCP) du capteur simulé.
Service
IMAP
Payload
Not a command
Pourquoi cette classification : Rafale d'authentification SSH · confiance 55%
Confiance classification
55%
Risque capteur
Faible
· 38
Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
Not a command
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "2a204f4b20494d41503420686f6e6579706f742072656164790d0a",
"emulator_response_len": 27,
"bytes_in": 16,
"payload_entropy": 3.327819531114783,
"port_category": "well_known",
"org": "Google LLC",
"service": "imap",
"app_proto": "imap",
"asn": 396982,
"country": "BE",
"dst_port": 143,
"risk_waf": 8,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.1,
"risk_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 38,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "ba54c69867e6b8120ca43682f345981a8ad648a8",
"event_fingerprint": "2aee505ca8261046f5734d427b2e1084c257e862",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "pop3_probe",
"service_name": "imap",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "ad32b372bf9a8e846b24a957491de4e3",
"path_pattern_hash": "a16ceff6d669b3e29397887a084460a7"
},
"target_context": {
"dst_port": 143,
"service": "imap",
"service_name": "imap",
"risk_score": 38
},
"payload_preview": "Not a command \r\n",
"request_sample": "Not a command \r\n",
"payload_snippet": "Not a command",
"evidence": {
"request_sample": "Not a command \r\n",
"payload_snippet": "Not a command",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "7615263c51fdc006876ff5448a1b09f336c7ecf2",
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "Not a command",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"evidence_snippet": "Not a command",
"attack_vector": "port 143 tcp \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 55%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 55,
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "imap",
"service_label_fr": "IMAP",
"dst_port": 143,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-imap",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "Not a command",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"attack_vector": "port 143 tcp \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"evidence_snippet": "Not a command",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "imap",
"service_banner": "honeypot-imap",
"service_os": "linux",
"dst_port": "143"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"imap_emulated",
"net_bruteforce_burst",
"net_pop3_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
143 · IMAP
|
imap
|
Sonde POP3
pop3 probe · via IMAP:143 · (sonde / probe)
|
Élevée
|
Moyen · 45
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
IMAP
WAF
—
Recommandation
Surveiller
Tags
imap_emulated
net_bruteforce
net_pop3_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
143
Chemin / cible
—
Service
IMAP
Payload
��9������������version�bind�����
Pourquoi cette classification : Rafale d'authentification SSH · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Moyen
· 45
Confiance : Confiance 50 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0771
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
�9������������version�bind�����
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "2a204f4b20494d41503420686f6e6579706f742072656164790d0a",
"emulator_response_len": 27,
"bytes_in": 32,
"payload_entropy": 3.4681390622295662,
"port_category": "well_known",
"org": "Google LLC",
"service": "imap",
"app_proto": "imap",
"asn": 396982,
"country": "BE",
"dst_port": 143,
"risk_waf": 8,
"risk_classification": 48,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.1,
"risk_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 45,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "2831f3269e13930e4781739399d7e516f78cf168",
"event_fingerprint": "2aee505ca8261046f5734d427b2e1084c257e862",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0771"
],
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 45
},
"service_name": "imap",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "fe9d5a47e85f0816b597518a6a0458aa",
"path_pattern_hash": "44d5bece51c65fa33908cf3d76b6745a"
},
"target_context": {
"dst_port": 143,
"service": "imap",
"service_name": "imap",
"risk_score": 45
},
"payload_preview": "\u0000\u001e9\ufffd\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0007version\u0004bind\u0000\u0000\u0010\u0000\u0003",
"request_sample": "\u0000\u001e9\ufffd\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0007version\u0004bind\u0000\u0000\u0010\u0000\u0003",
"payload_snippet": "\u0000\u001e9\ufffd\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0007version\u0004bind\u0000\u0000\u0010\u0000\u0003",
"evidence": {
"request_sample": "\u0000\u001e9\ufffd\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0007version\u0004bind\u0000\u0000\u0010\u0000\u0003",
"payload_snippet": "\u0000\u001e9\ufffd\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0007version\u0004bind\u0000\u0000\u0010\u0000\u0003",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8cef6bc3d5f6b1f3f8d9e4103817ae933f9c07f2",
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "\u0000\u001e9\ufffd\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0007version\u0004bind\u0000\u0000\u0010\u0000\u0003",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"evidence_snippet": "9\ufffdversionbind",
"attack_vector": "pop3 probe \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 50%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 45
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "imap",
"service_label_fr": "IMAP",
"dst_port": 143,
"protocol_emulated": true,
"tags_summary": [
"pat-0771"
],
"tags_summary_labels_fr": [
"pat-0771"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-imap",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "\u0000\u001e9\ufffd\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0007version\u0004bind\u0000\u0000\u0010\u0000\u0003",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"attack_vector": "pop3 probe \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"evidence_snippet": "9\ufffdversionbind",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "imap",
"service_banner": "honeypot-imap",
"service_os": "linux",
"dst_port": "143"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"imap_emulated",
"net_bruteforce",
"net_pop3_probe"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 1,
"behavior_priority": 72
}
|
|
|
TCP |
143 · IMAP
|
imap
|
Sonde port 143/TCP
port 143 tcp · via IMAP:143 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
IMAP
WAF
—
Recommandation
Surveiller
Tags
imap_emulated
net_bruteforce
net_pop3_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
143
Chemin / cible
—
Preuve honeypot — Sonde port 143/TCP
Connexion détectée sur le port 143 (TCP) du capteur simulé.
Pourquoi cette classification : Rafale d'authentification SSH · confiance 55%
Confiance classification
55%
Risque capteur
Faible
· 38
Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "2a204f4b20494d41503420686f6e6579706f742072656164790d0a",
"emulator_response_len": 27,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "well_known",
"org": "Google LLC",
"service": "imap",
"app_proto": "imap",
"asn": 396982,
"country": "BE",
"dst_port": 143,
"risk_waf": 8,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.1,
"risk_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 38,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "2831f3269e13930e4781739399d7e516f78cf168",
"event_fingerprint": "2aee505ca8261046f5734d427b2e1084c257e862",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "pop3_probe",
"service_name": "imap",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "a16ceff6d669b3e29397887a084460a7"
},
"target_context": {
"dst_port": 143,
"service": "imap",
"service_name": "imap",
"risk_score": 38
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "13d530c6e9ce97a77af012b63c92394703b408b2",
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"attack_vector": "port 143 tcp \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 55%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 55,
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "imap",
"service_label_fr": "IMAP",
"dst_port": 143,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-imap",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"attack_vector": "port 143 tcp \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "imap",
"service_banner": "honeypot-imap",
"service_os": "linux",
"dst_port": "143"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"imap_emulated",
"net_bruteforce",
"net_pop3_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
143 · IMAP
|
imap
|
Sonde port 143/TCP
port 143 tcp · via IMAP:143 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
IMAP
WAF
—
Recommandation
Surveiller
Tags
imap_emulated
net_bruteforce_burst
net_pop3_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
143
Chemin / cible
—
Preuve honeypot — Sonde port 143/TCP
Connexion détectée sur le port 143 (TCP) du capteur simulé.
Pourquoi cette classification : Rafale d'authentification SSH · confiance 55%
Confiance classification
55%
Risque capteur
Faible
· 38
Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "2a204f4b20494d41503420686f6e6579706f742072656164790d0a",
"emulator_response_len": 27,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "well_known",
"org": "Google LLC",
"service": "imap",
"app_proto": "imap",
"asn": 396982,
"country": "BE",
"dst_port": 143,
"risk_waf": 8,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.1,
"risk_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 38,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "ba54c69867e6b8120ca43682f345981a8ad648a8",
"event_fingerprint": "2aee505ca8261046f5734d427b2e1084c257e862",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "pop3_probe",
"service_name": "imap",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "a16ceff6d669b3e29397887a084460a7"
},
"target_context": {
"dst_port": 143,
"service": "imap",
"service_name": "imap",
"risk_score": 38
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f35954ffee4d153a3e26ff4215a9c5f15c6ad9bb",
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"attack_vector": "port 143 tcp \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 55%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 55,
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "imap",
"service_label_fr": "IMAP",
"dst_port": 143,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-imap",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"attack_vector": "port 143 tcp \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "imap",
"service_banner": "honeypot-imap",
"service_os": "linux",
"dst_port": "143"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"imap_emulated",
"net_bruteforce_burst",
"net_pop3_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
143 · IMAP
|
imap
|
Sonde PostgreSQL
postgres probe · via IMAP:143 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
IMAP
WAF
—
Recommandation
Surveiller
Tags
imap_emulated
net_pop3_probe
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
143
Chemin / cible
—
Service
IMAP
Payload
�����������j+�e#�e<���cby���\K4/A1�I����SV ���D����l � �-_v��X �e���O�KjɳL�2�+�/�,�0̨̩� ��� �������/�5��� �#�'�<������������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������j+�e#�e<���cby���\K4/A1�I����SV ���D����l �
�-_v��X �e���O�KjɳL�2�+�/�,�0̨̩� ���
�������/�5���
�#�'�<������������
Requête brute (extrait)
�����������j+�e#�e<���cby���\K4/A1�I����SV ���D����l � �-_v��X �e���O�KjɳL�2�+�/�,�0̨̩� ��� �������/�5��� �#�'�<���������������E� ��������������������������� � � ����������� �����������������������������+� ����������3��������3���]L�49A#���'�g�}RU��ri
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "2a204f4b20494d41503420686f6e6579706f742072656164790d0a",
"emulator_response_len": 27,
"bytes_in": 1481,
"payload_entropy": 7.72758487810147,
"port_category": "well_known",
"org": "Google LLC",
"service": "imap",
"app_proto": "imap",
"asn": 396982,
"country": "BE",
"dst_port": 143,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.1,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "2f45474cfafae088642f702bdc389103c10e443e",
"event_fingerprint": "2aee505ca8261046f5734d427b2e1084c257e862",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "imap",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "a8c1a0d8596de41b8f100bd62f375010",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5"
},
"target_context": {
"dst_port": 143,
"service": "imap",
"service_name": "imap",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003j+\ufffde#\ufffde<\ufffd\ufffd\ufffdcby\ufffd\u000e\ufffd\\K4\/A1\ufffdI\ufffd\ufffd\ufffd\ufffdSV \ufffd\ufffd\ufffdD\ufffd\ufffd\ufffd\u0006l\t\ufffd\n\ufffd-_v\ufffd\ufffdX\t\ufffde\ufffd\ufffd\ufffdO\ufffdKj\u0273L\u00002\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd#\ufffd'\u0000<\ufffd\u0007\ufffd\u0011\u0000\u0005\u0013\u0001\u0013\u0002\u0013\u0003",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003j+\ufffde#\ufffde<\ufffd\ufffd\ufffdcby\ufffd\u000e\ufffd\\K4\/A1\ufffdI\ufffd\ufffd\ufffd\ufffdSV \ufffd\ufffd\ufffdD\ufffd\ufffd\ufffd\u0006l\t\ufffd\n\ufffd-_v\ufffd\ufffdX\t\ufffde\ufffd\ufffd\ufffdO\ufffdKj\u0273L\u00002\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd#\ufffd'\u0000<\ufffd\u0007\ufffd\u0011\u0000\u0005\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005E\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\f\u0000\n\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0004\ufffd\u0004\ufffd\u0011\ufffd\u0004\ufffd3\ufffd\u001d\ufffd]L\ufffd49A#\ufffd\u0007\ufffd'\ufffdg\ufffd}RU\ufffd\ufffdri",
"payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003j+\ufffde#\ufffde<\ufffd\ufffd\ufffdcby\ufffd\u000e\ufffd\\K4\/A1\ufffdI\ufffd\ufffd\ufffd\ufffdSV \ufffd\ufffd\ufffdD\ufffd\ufffd\ufffd\u0006l\t\ufffd\n\ufffd-_v\ufffd\ufffdX\t\ufffde\ufffd\ufffd\ufffdO\ufffdKj\u0273L\u00002\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd#\ufffd'\u0000<\ufffd\u0007\ufffd\u0011\u0000\u0005\u0013\u0001\u0013\u0002\u0013\u0003",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "fa825b7cf7f2f311d5698c392e071f1da6d8ef91",
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003j+\ufffde#\ufffde<\ufffd\ufffd\ufffdcby\ufffd\u000e\ufffd\\K4\/A1\ufffdI\ufffd\ufffd\ufffd\ufffdSV \ufffd\ufffd\ufffdD\ufffd\ufffd\ufffd\u0006l\t\ufffd\n\ufffd-_v\ufffd\ufffdX\t\ufffde\ufffd\ufffd\ufffdO\ufffdKj\u0273L\u00002\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd#\ufffd'\u0000<\ufffd\u0007\ufffd\u0011\u0000\u0005\u0013\u0001\u0013\u0002\u0013\u0003",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"evidence_snippet": "\ufffd\ufffdj+\ufffde#\ufffde<\ufffd\ufffd\ufffdcby\ufffd\ufffd\\K4\/A1\ufffdI\ufffd\ufffd\ufffd\ufffdSV \ufffd\ufffd\ufffdD\ufffd\ufffd\ufffdl\t\ufffd\n\ufffd-_v\ufffd\ufffdX\t\ufffde\ufffd\ufffd\ufffdO\ufffdKj\u0273L2\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n\ufffd#\ufffd'<\ufffd\ufffd",
"attack_vector": "postgres probe \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "imap",
"service_label_fr": "IMAP",
"dst_port": 143,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-imap",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003j+\ufffde#\ufffde<\ufffd\ufffd\ufffdcby\ufffd\u000e\ufffd\\K4\/A1\ufffdI\ufffd\ufffd\ufffd\ufffdSV \ufffd\ufffd\ufffdD\ufffd\ufffd\ufffd\u0006l\t\ufffd\n\ufffd-_v\ufffd\ufffdX\t\ufffde\ufffd\ufffd\ufffdO\ufffdKj\u0273L\u00002\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd#\ufffd'\u0000<\ufffd\u0007\ufffd\u0011\u0000\u0005\u0013\u0001\u0013\u0002\u0013\u0003",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"attack_vector": "postgres probe \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdj+\ufffde#\ufffde<\ufffd\ufffd\ufffdcby\ufffd\ufffd\\K4\/A1\ufffdI\ufffd\ufffd\ufffd\ufffdSV \ufffd\ufffd\ufffdD\ufffd\ufffd\ufffdl\t\ufffd\n\ufffd-_v\ufffd\ufffdX\t\ufffde\ufffd\ufffd\ufffdO\ufffdKj\u0273L2\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n\ufffd#\ufffd'<\ufffd\ufffd",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "imap",
"service_banner": "honeypot-imap",
"service_os": "linux",
"dst_port": "143"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"imap_emulated",
"net_pop3_probe",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
143 · IMAP
|
imap
|
Protocole wire MongoDB
mongodb wire protocol · via IMAP:143 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
IMAP
WAF
—
Recommandation
Surveiller
Tags
imap_emulated
mongodb_hello_probe
net_pop3_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
143
Chemin / cible
—
Service
IMAP
Payload
;�������������������admin.$cmd��������������hello��������?�>�������������������admin.$cmd��������������isMaster��������?�
Pourquoi cette classification : Type « mongodb_wire_protocol » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0363
pat-0364
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
;�������������������admin.$cmd��������������hello��������?�>�������������������admin.$cmd��������������isMaster��������?
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "2a204f4b20494d41503420686f6e6579706f742072656164790d0a",
"emulator_response_len": 27,
"bytes_in": 121,
"payload_entropy": 3.1150230512705406,
"port_category": "well_known",
"org": "Google LLC",
"service": "imap",
"app_proto": "imap",
"asn": 396982,
"country": "BE",
"dst_port": 143,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.1,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 38,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "6647bf02f6c6222c59ba802c4a90d0c6cd861cc0",
"event_fingerprint": "2aee505ca8261046f5734d427b2e1084c257e862",
"classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 116,
"precision_signals": [
"pat-0363",
"pat-0364"
],
"kb_rule_ids": [
"pat-0363",
"pat-0364"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "imap",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "de7aa004722a47b7532d77bd58324675",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 143,
"service": "imap",
"service_name": "imap",
"risk_score": 38
},
"payload_snippet": ";\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0014\u0000\u0000\u0000\u0001hello\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000>\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0017\u0000\u0000\u0000\u0001isMaster\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000",
"evidence": {
"request_sample": ";\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0014\u0000\u0000\u0000\u0001hello\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000>\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0017\u0000\u0000\u0000\u0001isMaster\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000",
"payload_snippet": ";\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0014\u0000\u0000\u0000\u0001hello\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000>\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0017\u0000\u0000\u0000\u0001isMaster\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000",
"classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "68bee6cd6fa3763443d5f7054b89866144a45a2d",
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": ";\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0014\u0000\u0000\u0000\u0001hello\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000>\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0017\u0000\u0000\u0000\u0001isMaster\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"evidence_snippet": ";\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdhello\ufffd?>\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdisMaster\ufffd?",
"attack_vector": "mongodb wire protocol \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "imap",
"service_label_fr": "IMAP",
"dst_port": 143,
"protocol_emulated": true,
"tags_summary": [
"pat-0363",
"pat-0364"
],
"tags_summary_labels_fr": [
"pat-0363",
"pat-0364"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-imap",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": ";\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0014\u0000\u0000\u0000\u0001hello\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000>\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0017\u0000\u0000\u0000\u0001isMaster\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"attack_vector": "mongodb wire protocol \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"evidence_snippet": ";\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdhello\ufffd?>\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdisMaster\ufffd?",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "imap",
"service_banner": "honeypot-imap",
"service_os": "linux",
"dst_port": "143"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"imap_emulated",
"mongodb_hello_probe",
"net_pop3_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
143 · IMAP
|
imap
|
Sonde port 143/TCP
port 143 tcp · via IMAP:143 · (sonde / probe)
|
Élevée
|
Moyen · 45
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
IMAP
WAF
—
Recommandation
Surveiller
Tags
http_get_probe
imap_emulated
mozi_pattern
net_pop3_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
143
Chemin / cible
—
Preuve honeypot — Sonde port 143/TCP
Connexion détectée sur le port 143 (TCP) du capteur simulé.
Service
IMAP
Payload
GET / HTTP/1.1 Host: 62.3.50.33:143 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Geck
Pourquoi cette classification : Type « port_143_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Risque capteur
Moyen
· 45
Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:143
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Geck
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:143 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "2a204f4b20494d41503420686f6e6579706f742072656164790d0a",
"emulator_response_len": 27,
"bytes_in": 188,
"payload_entropy": 5.378117507878917,
"port_category": "well_known",
"org": "Google LLC",
"service": "imap",
"app_proto": "imap",
"asn": 396982,
"country": "BE",
"dst_port": 143,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 40,
"risk_novelty": 15,
"risk_boost": 20,
"risk_granularity": 4.4,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 15
},
"risk_score": 45,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "641008c6368a29e5084ba1165fed644ef0e9d02f",
"event_fingerprint": "2aee505ca8261046f5734d427b2e1084c257e862",
"classification_reason": "Type \u00ab port_143_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 15,
"risk_score": 45
},
"named_classification_skipped": true,
"named_candidate": "pop3_probe",
"service_name": "imap",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "bca5ef6d155fd348b45a01f91ad71ffd",
"path_pattern_hash": "a16ceff6d669b3e29397887a084460a7"
},
"target_context": {
"dst_port": 143,
"service": "imap",
"service_name": "imap",
"risk_score": 45
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:143\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:143\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/127.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:143\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:143\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/127.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:143\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck",
"classification_reason": "Type \u00ab port_143_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "528ed25a1857f118a48dd35e56cf84e10a4069d4",
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:143\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:143\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck",
"attack_vector": "port 143 tcp \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_143_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"classification_reason_label_fr": "Type \u00ab port_143_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 55,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 15,
"risk_score": 45
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "imap",
"service_label_fr": "IMAP",
"dst_port": 143,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-imap",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:143\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"attack_vector": "port 143 tcp \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:143\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "imap",
"service_banner": "honeypot-imap",
"service_os": "linux",
"dst_port": "143"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"http_get_probe",
"imap_emulated",
"mozi_pattern",
"net_pop3_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
143 · IMAP
|
imap
|
Sonde port 143/TCP
port 143 tcp · via IMAP:143 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
IMAP
WAF
—
Recommandation
Surveiller
Tags
imap_emulated
net_pop3_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
143
Chemin / cible
—
Preuve honeypot — Sonde port 143/TCP
Connexion détectée sur le port 143 (TCP) du capteur simulé.
Service
IMAP
Payload
��7�P��[,<{t�!���Y�ƕ�`5j�6���j���V3�L���Ԝ�R'��x5_�������;�p�q�
Pourquoi cette classification : Type « port_143_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Risque capteur
Faible
· 38
Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
��7�P��[,<{t�!���Y�ƕ�`5j�6���j���V3�L���Ԝ�R'��x5_�������;�p�q�
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "2a204f4b20494d41503420686f6e6579706f742072656164790d0a",
"emulator_response_len": 27,
"bytes_in": 64,
"payload_entropy": 5.71875,
"port_category": "well_known",
"org": "Google LLC",
"service": "imap",
"app_proto": "imap",
"asn": 396982,
"country": "BE",
"dst_port": 143,
"risk_waf": 8,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.7,
"risk_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 38,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "5dbb86240b20f1f0274445eb39af610c11d0b46e",
"event_fingerprint": "2aee505ca8261046f5734d427b2e1084c257e862",
"classification_reason": "Type \u00ab port_143_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "pop3_probe",
"service_name": "imap",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "dc919609b0afa91bf6c1174a42e397f6",
"path_pattern_hash": "a16ceff6d669b3e29397887a084460a7"
},
"target_context": {
"dst_port": 143,
"service": "imap",
"service_name": "imap",
"risk_score": 38
},
"payload_preview": "\ufffd\ufffd7\ufffdP\ufffd\ufffd[,<{t\u0000!\ufffd\ufffd\ufffdY\ufffd\u0195\ufffd`5j\ufffd6\ufffd\ufffd\ufffdj\ufffd\ufffd\ufffdV3\ufffdL\u000e\ufffd\ufffd\u051c\ufffdR'\ufffd\ufffdx5_\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd;\u0003p\u001aq\ufffd",
"request_sample": "\ufffd\ufffd7\ufffdP\ufffd\ufffd[,<{t\u0000!\ufffd\ufffd\ufffdY\ufffd\u0195\ufffd`5j\ufffd6\ufffd\ufffd\ufffdj\ufffd\ufffd\ufffdV3\ufffdL\u000e\ufffd\ufffd\u051c\ufffdR'\ufffd\ufffdx5_\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd;\u0003p\u001aq\ufffd",
"payload_snippet": "\ufffd\ufffd7\ufffdP\ufffd\ufffd[,<{t\u0000!\ufffd\ufffd\ufffdY\ufffd\u0195\ufffd`5j\ufffd6\ufffd\ufffd\ufffdj\ufffd\ufffd\ufffdV3\ufffdL\u000e\ufffd\ufffd\u051c\ufffdR'\ufffd\ufffdx5_\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd;\u0003p\u001aq\ufffd",
"evidence": {
"request_sample": "\ufffd\ufffd7\ufffdP\ufffd\ufffd[,<{t\u0000!\ufffd\ufffd\ufffdY\ufffd\u0195\ufffd`5j\ufffd6\ufffd\ufffd\ufffdj\ufffd\ufffd\ufffdV3\ufffdL\u000e\ufffd\ufffd\u051c\ufffdR'\ufffd\ufffdx5_\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd;\u0003p\u001aq\ufffd",
"payload_snippet": "\ufffd\ufffd7\ufffdP\ufffd\ufffd[,<{t\u0000!\ufffd\ufffd\ufffdY\ufffd\u0195\ufffd`5j\ufffd6\ufffd\ufffd\ufffdj\ufffd\ufffd\ufffdV3\ufffdL\u000e\ufffd\ufffd\u051c\ufffdR'\ufffd\ufffdx5_\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd;\u0003p\u001aq\ufffd",
"classification_reason": "Type \u00ab port_143_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "544b49371518ac1092f09ba83d8c966b896b3ee5",
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "\ufffd\ufffd7\ufffdP\ufffd\ufffd[,<{t\u0000!\ufffd\ufffd\ufffdY\ufffd\u0195\ufffd`5j\ufffd6\ufffd\ufffd\ufffdj\ufffd\ufffd\ufffdV3\ufffdL\u000e\ufffd\ufffd\u051c\ufffdR'\ufffd\ufffdx5_\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd;\u0003p\u001aq\ufffd",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"evidence_snippet": "\ufffd\ufffd7\ufffdP\ufffd\ufffd[,<{t!\ufffd\ufffd\ufffdY\ufffd\u0195\ufffd`5j\ufffd6\ufffd\ufffd\ufffdj\ufffd\ufffd\ufffdV3\ufffdL\ufffd\ufffd\u051c\ufffdR'\ufffd\ufffdx5_\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd;pq\ufffd",
"attack_vector": "port 143 tcp \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_143_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"classification_reason_label_fr": "Type \u00ab port_143_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 55,
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "imap",
"service_label_fr": "IMAP",
"dst_port": 143,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-imap",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "\ufffd\ufffd7\ufffdP\ufffd\ufffd[,<{t\u0000!\ufffd\ufffd\ufffdY\ufffd\u0195\ufffd`5j\ufffd6\ufffd\ufffd\ufffdj\ufffd\ufffd\ufffdV3\ufffdL\u000e\ufffd\ufffd\u051c\ufffdR'\ufffd\ufffdx5_\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd;\u0003p\u001aq\ufffd",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"attack_vector": "port 143 tcp \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd7\ufffdP\ufffd\ufffd[,<{t!\ufffd\ufffd\ufffdY\ufffd\u0195\ufffd`5j\ufffd6\ufffd\ufffd\ufffdj\ufffd\ufffd\ufffdV3\ufffdL\ufffd\ufffd\u051c\ufffdR'\ufffd\ufffdx5_\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd;pq\ufffd",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "imap",
"service_banner": "honeypot-imap",
"service_os": "linux",
"dst_port": "143"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"imap_emulated",
"net_pop3_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
143 · IMAP
|
imap
|
Sonde port 143/TCP
port 143 tcp · via IMAP:143 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
IMAP
WAF
—
Recommandation
Surveiller
Tags
imap_emulated
net_bruteforce_burst
net_pop3_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
143
Chemin / cible
—
Preuve honeypot — Sonde port 143/TCP
Connexion détectée sur le port 143 (TCP) du capteur simulé.
Pourquoi cette classification : Rafale d'authentification SSH · confiance 55%
Confiance classification
55%
Risque capteur
Faible
· 38
Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "2a204f4b20494d41503420686f6e6579706f742072656164790d0a",
"emulator_response_len": 27,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "well_known",
"org": "Google LLC",
"service": "imap",
"app_proto": "imap",
"asn": 396982,
"country": "BE",
"dst_port": 143,
"risk_waf": 8,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.1,
"risk_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 38,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "ba54c69867e6b8120ca43682f345981a8ad648a8",
"event_fingerprint": "2aee505ca8261046f5734d427b2e1084c257e862",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "pop3_probe",
"service_name": "imap",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "a16ceff6d669b3e29397887a084460a7"
},
"target_context": {
"dst_port": 143,
"service": "imap",
"service_name": "imap",
"risk_score": 38
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f35954ffee4d153a3e26ff4215a9c5f15c6ad9bb",
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"attack_vector": "port 143 tcp \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 55%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 55,
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "imap",
"service_label_fr": "IMAP",
"dst_port": 143,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-imap",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"attack_vector": "port 143 tcp \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "imap",
"service_banner": "honeypot-imap",
"service_os": "linux",
"dst_port": "143"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"imap_emulated",
"net_bruteforce_burst",
"net_pop3_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
143 · IMAP
|
imap
|
imap bruteforce
imap bruteforce · via IMAP:143 · (sonde / probe)
|
Élevée
|
Moyen · 41
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1110
TA0007
TA0001
Protocole
Émulateur
IMAP
WAF
—
Recommandation
Surveiller
Tags
imap_emulated
imap_probe
net_pop3_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
143
Chemin / cible
—
Service
IMAP
Payload
7FYWU8I4 CAPABILITY
Pourquoi cette classification : Type « imap_bruteforce » (signaux protocolaires) · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 41
Confiance : Confiance 95 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Email Imap Login
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
IMAPS CAPABILITY
User-Agent
—
Règles WAF
—
Payload (extrait)
7FYWU8I4 CAPABILITY
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "2a204f4b20494d41503420686f6e6579706f742072656164790d0a",
"emulator_response_len": 27,
"bytes_in": 21,
"payload_entropy": 3.9754180179138325,
"port_category": "well_known",
"org": "Google LLC",
"service": "imap",
"app_proto": "imap",
"asn": 396982,
"country": "BE",
"dst_port": 143,
"risk_waf": 8,
"risk_classification": 66,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.1,
"risk_breakdown": {
"waf": 8,
"classification": 66,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 41,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "bbd6effe130b86471a1384e166fa85108cdf0a09",
"event_fingerprint": "2aee505ca8261046f5734d427b2e1084c257e862",
"classification_reason": "Type \u00ab imap_bruteforce \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 76,
"precision_signals": [
"INT-EMAIL-imap-login"
],
"kb_rule_ids": [
"INT-EMAIL-imap-login"
],
"matched_patterns": [
"pat-0630"
],
"matched_pattern_names": [
"IMAPS CAPABILITY"
],
"pattern_ids": [
"pat-0630"
],
"confidence_breakdown": {
"waf": 8,
"classification": 66,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 41
},
"named_classification_skipped": false,
"service_name": "imap",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "210d732342bbb058674b699355410444",
"path_pattern_hash": "d01bbf3f52d5029936b2dffb0f5e856f"
},
"target_context": {
"dst_port": 143,
"service": "imap",
"service_name": "imap",
"risk_score": 41
},
"payload_preview": "7FYWU8I4 CAPABILITY\r\n",
"request_sample": "7FYWU8I4 CAPABILITY\r\n",
"payload_snippet": "7FYWU8I4 CAPABILITY",
"evidence": {
"request_sample": "7FYWU8I4 CAPABILITY\r\n",
"payload_snippet": "7FYWU8I4 CAPABILITY",
"classification_reason": "Type \u00ab imap_bruteforce \u00bb (signaux protocolaires) \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1110"
],
"mitre": "T1110",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "879d45e15f69a7dc544fcdca17d997bff54b7580",
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "7FYWU8I4 CAPABILITY",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"evidence_snippet": "7FYWU8I4 CAPABILITY",
"attack_vector": "imap bruteforce \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab imap_bruteforce \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"classification_reason_label_fr": "Type \u00ab imap_bruteforce \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 41\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 66,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 41
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 41,
"risk_label": "Moyen",
"service_name": "imap",
"service_label_fr": "IMAP",
"dst_port": 143,
"protocol_emulated": true,
"tags_summary": [
"INT-EMAIL-imap-login"
],
"tags_summary_labels_fr": [
"Email Imap Login"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1110",
"mitre_technique": "T1110",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-imap",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)",
"payload_preview": "7FYWU8I4 CAPABILITY",
"port": 143,
"service": "imap",
"service_label_fr": "IMAP"
},
"attack_vector": "imap bruteforce \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)",
"evidence_snippet": "7FYWU8I4 CAPABILITY",
"target_port_label": "143 \u00b7 IMAP",
"emulator_service": "imap",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "imap",
"service_banner": "honeypot-imap",
"service_os": "linux",
"dst_port": "143"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"imap_emulated",
"imap_probe",
"net_pop3_probe"
],
"asn_dc_heuristic": true
}
|