Détails IP 34.140.246.96

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « port_21_tcp » (signaux protocolaires) · confiance 55%

Confiance 55 % — Score WAF 8

Comparaison ASN / FAI

ASN 396982 · 34.140.240.0/20 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 6 événements sur la période pour cette IP.

198.235.24.66 Sonde port 5902/TCP 16/06/2026 03:54 UTC
198.235.24.88 webmin probe 16/06/2026 03:51 UTC
147.185.132.219 Sonde PostgreSQL 16/06/2026 03:51 UTC
34.62.253.93 Sonde port 25/TCP 16/06/2026 03:50 UTC
34.156.250.171 Sonde SMTP 16/06/2026 03:49 UTC
198.235.24.40 Sonde port 16/06/2026 03:47 UTC
147.185.132.156 rsync probe 16/06/2026 03:46 UTC
205.210.31.43 Scanner web 16/06/2026 03:44 UTC

IPs apparentées

Même FAI Google LLC — corrélation indicative.

198.235.24.66 Sonde port 5902/TCP
198.235.24.88 webmin probe
147.185.132.219 Sonde PostgreSQL
34.62.253.93 Sonde port 25/TCP
34.156.250.171 Sonde SMTP

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

De

À

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Chronologie des événements

6 événement(s) — page 1/1

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
16/06/2026 02:51:10 UTC	TCP	21 · FTP	ftp	Sonde port 21/TCP port 21 tcp · via FTP:21 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Sonde protocole FTP Émulateur FTP WAF — Recommandation Surveiller Tags ftp_emulated net_ftp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 21 Chemin / cible — Preuve honeypot — Sonde port 21/TCP Connexion détectée sur le port 21 (TCP) du capteur simulé. Service FTP Pourquoi cette classification : Type « port_21_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 40 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f7420465450205365727665722072656164792e0d0a", "emulator_response_len": 32, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "well_known", "org": "Google LLC", "service": "ftp", "app_proto": "ftp", "asn": 396982, "country": "BE", "dst_port": 21, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.1, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0 }, "risk_score": 40, "tag_count": 2, "anomaly_count": 0, "campaign_key": "0e3137812f19bf14aa1acaa110935b990e3b112f", "event_fingerprint": "07fdc90e0dd65f1bc1a6bace3f4b4df61a0c8659", "classification_reason": "Type \u00ab port_21_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0, "risk_score": 40 }, "named_classification_skipped": true, "named_candidate": "ftp_probe", "service_name": "ftp", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "859ddb95f048d27beffd6a8201284af6" }, "target_context": { "dst_port": 21, "service": "ftp", "service_name": "ftp", "risk_score": 40 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "aef850f2f0f56e7728957dd601186b911e4bde66", "protocol_details": { "ftp_auth_fr": "Sonde protocole FTP", "port": 21, "service": "ftp", "service_label_fr": "FTP" }, "attack_vector": "port 21 tcp \u00b7 via FTP:21 \u00b7 (sonde \/ probe)", "target_port_label": "21 \u00b7 FTP", "emulator_service": "ftp", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_21_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_21_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "ftp", "service_label_fr": "FTP", "dst_port": 21, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-ftp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ftp_auth_fr": "Sonde protocole FTP", "port": 21, "service": "ftp", "service_label_fr": "FTP" }, "attack_vector": "port 21 tcp \u00b7 via FTP:21 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "21 \u00b7 FTP", "emulator_service": "ftp", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ftp", "service_banner": "honeypot-ftp", "service_os": "linux", "dst_port": "21" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "ftp_emulated", "net_ftp_probe" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 72 }
16/06/2026 02:50:29 UTC	TCP	21 · FTP	ftp	Sonde OPC-UA opcua probe · via FTP:21 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Sonde protocole FTP Émulateur FTP WAF — Recommandation Surveiller Tags ftp_emulated net_ftp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 21 Chemin / cible — Service FTP Payload HELP Pourquoi cette classification : Type « opcua_probe » (signaux protocolaires) · confiance 47% Confiance classification 47% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 47 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0626 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) OPC UA HEL User-Agent — Règles WAF — Payload (extrait) HELP Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f7420465450205365727665722072656164792e0d0a35303020556e6b6e6f776e20636f6d6d616e642e0d0a", "emulator_response_len": 54, "bytes_in": 6, "payload_entropy": 2.584962500721156, "port_category": "well_known", "org": "Google LLC", "service": "ftp", "app_proto": "ftp", "asn": 396982, "country": "BE", "dst_port": 21, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.1, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0 }, "risk_score": 35, "tag_count": 2, "anomaly_count": 0, "campaign_key": "0e3137812f19bf14aa1acaa110935b990e3b112f", "event_fingerprint": "07fdc90e0dd65f1bc1a6bace3f4b4df61a0c8659", "classification_reason": "Type \u00ab opcua_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%", "confidence": 0.47, "classification_confidence": 0.47, "precision_score": 56, "precision_signals": [ "pat-0626" ], "kb_rule_ids": [ "pat-0626" ], "matched_patterns": [ "pat-0626" ], "matched_pattern_names": [ "OPC UA HEL" ], "pattern_ids": [ "pat-0626" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "ftp", "risk_confidence_factor": 47, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "fb323af48498fcb3974ce6b1881c8797", "path_pattern_hash": "9665a326f7d8f70f1661dab78807b951" }, "target_context": { "dst_port": 21, "service": "ftp", "service_name": "ftp", "risk_score": 35 }, "payload_preview": "HELP\r\n", "request_sample": "HELP\r\n", "payload_snippet": "HELP", "evidence": { "request_sample": "HELP\r\n", "payload_snippet": "HELP", "classification_reason": "Type \u00ab opcua_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ee856eb9f30569200302e1610f0c8c689d81f02e", "protocol_details": { "ftp_auth_fr": "Sonde protocole FTP", "payload_preview": "HELP", "port": 21, "service": "ftp", "service_label_fr": "FTP" }, "evidence_snippet": "HELP", "attack_vector": "opcua probe \u00b7 via FTP:21 \u00b7 (sonde \/ probe)", "target_port_label": "21 \u00b7 FTP", "emulator_service": "ftp", "confidence_reason": "Confiance 47 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab opcua_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%", "classification_reason_label_fr": "Type \u00ab opcua_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 47, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "ftp", "service_label_fr": "FTP", "dst_port": 21, "protocol_emulated": true, "tags_summary": [ "pat-0626" ], "tags_summary_labels_fr": [ "pat-0626" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-ftp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "ftp_auth_fr": "Sonde protocole FTP", "payload_preview": "HELP", "port": 21, "service": "ftp", "service_label_fr": "FTP" }, "attack_vector": "opcua probe \u00b7 via FTP:21 \u00b7 (sonde \/ probe)", "evidence_snippet": "HELP", "target_port_label": "21 \u00b7 FTP", "emulator_service": "ftp", "confidence_reason": "Confiance 47 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 47 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ftp", "service_banner": "honeypot-ftp", "service_os": "linux", "dst_port": "21" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "ftp_emulated", "net_ftp_probe" ], "asn_dc_heuristic": true }
16/06/2026 02:50:29 UTC	TCP	21 · FTP	ftp	Sonde port 21/TCP port 21 tcp · via FTP:21 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Sonde protocole FTP Émulateur FTP WAF — Recommandation Surveiller Tags ftp_emulated net_ftp_probe tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 21 Chemin / cible — Preuve honeypot — Sonde port 21/TCP Connexion détectée sur le port 21 (TCP) du capteur simulé. Service FTP Payload SO?G��,��`~��{�Ֆ�w��<=�o�n( fedcba` Pourquoi cette classification : Type « port_21_tcp » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 40 Confiance : Confiance 49 % — Motif catalogue confirmé · Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Signaux pat-0348 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) RDP TPKT header ET H.323 setup Minecraft varint handshake User-Agent — Règles WAF — Payload (extrait) SO?G��,��`~��{�Ֆ�w��<=�o�n( fedcba` Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f7420465450205365727665722072656164792e0d0a35303020556e6b6e6f776e20636f6d6d616e642e0d0a", "emulator_response_len": 54, "bytes_in": 88, "payload_entropy": 4.71356415999113, "port_category": "well_known", "org": "Google LLC", "service": "ftp", "app_proto": "ftp", "asn": 396982, "country": "BE", "dst_port": 21, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 36, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 15 }, "risk_score": 40, "tag_count": 3, "anomaly_count": 0, "campaign_key": "fb8ed69fdb663409bd4a67a27cd7334b94d5f8f3", "event_fingerprint": "07fdc90e0dd65f1bc1a6bace3f4b4df61a0c8659", "classification_reason": "Type \u00ab port_21_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0348" ], "kb_rule_ids": [ "pat-0348" ], "matched_patterns": [ "pat-0348", "pat-0868", "pat-0554" ], "matched_pattern_names": [ "RDP TPKT header", "ET H.323 setup", "Minecraft varint handshake" ], "pattern_ids": [ "pat-0348", "pat-0868", "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": true, "named_candidate": "rdp_probe", "service_name": "ftp", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "80ab07029d5f302cd55bfd003a3a37f1", "path_pattern_hash": "859ddb95f048d27beffd6a8201284af6" }, "target_context": { "dst_port": 21, "service": "ftp", "service_name": "ftp", "risk_score": 40 }, "payload_preview": "\u0016\u0003\u0000\u0000S\u0001\u0000\u0000O\u0003\u0000?G\ufffd\ufffd\ufffd,\ufffd\ufffd`~\ufffd\u0000\ufffd\ufffd{\ufffd\u0556\ufffdw\ufffd\ufffd\ufffd\ufffd<=\ufffdo\ufffd\u0010n\u0000\u0000(\u0000\u0016\u0000\u0013\u0000\n\u0000f\u0000\u0005\u0000\u0004\u0000e\u0000d\u0000c\u0000b\u0000a\u0000`\u0000\u0015\u0000\u0012\u0000\t\u0000\u0014\u0000\u0011\u0000\b\u0000\u0006\u0000\u0003\u0001\u0000", "request_sample": "\u0016\u0003\u0000\u0000S\u0001\u0000\u0000O\u0003\u0000?G\ufffd\ufffd\ufffd,\ufffd\ufffd`~\ufffd\u0000\ufffd\ufffd{\ufffd\u0556\ufffdw\ufffd\ufffd\ufffd\ufffd<=\ufffdo\ufffd\u0010n\u0000\u0000(\u0000\u0016\u0000\u0013\u0000\n\u0000f\u0000\u0005\u0000\u0004\u0000e\u0000d\u0000c\u0000b\u0000a\u0000`\u0000\u0015\u0000\u0012\u0000\t\u0000\u0014\u0000\u0011\u0000\b\u0000\u0006\u0000\u0003\u0001\u0000", "payload_snippet": "\u0016\u0003\u0000\u0000S\u0001\u0000\u0000O\u0003\u0000?G\ufffd\ufffd\ufffd,\ufffd\ufffd`~\ufffd\u0000\ufffd\ufffd{\ufffd\u0556\ufffdw\ufffd\ufffd\ufffd\ufffd<=\ufffdo\ufffd\u0010n\u0000\u0000(\u0000\u0016\u0000\u0013\u0000\n\u0000f\u0000\u0005\u0000\u0004\u0000e\u0000d\u0000c\u0000b\u0000a\u0000`\u0000\u0015\u0000\u0012\u0000\t\u0000\u0014\u0000\u0011\u0000\b\u0000\u0006\u0000\u0003\u0001\u0000", "evidence": { "request_sample": "\u0016\u0003\u0000\u0000S\u0001\u0000\u0000O\u0003\u0000?G\ufffd\ufffd\ufffd,\ufffd\ufffd`~\ufffd\u0000\ufffd\ufffd{\ufffd\u0556\ufffdw\ufffd\ufffd\ufffd\ufffd<=\ufffdo\ufffd\u0010n\u0000\u0000(\u0000\u0016\u0000\u0013\u0000\n\u0000f\u0000\u0005\u0000\u0004\u0000e\u0000d\u0000c\u0000b\u0000a\u0000`\u0000\u0015\u0000\u0012\u0000\t\u0000\u0014\u0000\u0011\u0000\b\u0000\u0006\u0000\u0003\u0001\u0000", "payload_snippet": "\u0016\u0003\u0000\u0000S\u0001\u0000\u0000O\u0003\u0000?G\ufffd\ufffd\ufffd,\ufffd\ufffd`~\ufffd\u0000\ufffd\ufffd{\ufffd\u0556\ufffdw\ufffd\ufffd\ufffd\ufffd<=\ufffdo\ufffd\u0010n\u0000\u0000(\u0000\u0016\u0000\u0013\u0000\n\u0000f\u0000\u0005\u0000\u0004\u0000e\u0000d\u0000c\u0000b\u0000a\u0000`\u0000\u0015\u0000\u0012\u0000\t\u0000\u0014\u0000\u0011\u0000\b\u0000\u0006\u0000\u0003\u0001\u0000", "classification_reason": "Type \u00ab port_21_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d29d623d48a87ca8d705daa9b1c78b5769c0e8b4", "protocol_details": { "ftp_auth_fr": "Sonde protocole FTP", "payload_preview": "\u0016\u0003\u0000\u0000S\u0001\u0000\u0000O\u0003\u0000?G\ufffd\ufffd\ufffd,\ufffd\ufffd`~\ufffd\u0000\ufffd\ufffd{\ufffd\u0556\ufffdw\ufffd\ufffd\ufffd\ufffd<=\ufffdo\ufffd\u0010n\u0000\u0000(\u0000\u0016\u0000\u0013\u0000\n\u0000f\u0000\u0005\u0000\u0004\u0000e\u0000d\u0000c\u0000b\u0000a\u0000`\u0000\u0015\u0000\u0012\u0000\t\u0000\u0014\u0000\u0011\u0000\b\u0000\u0006\u0000\u0003\u0001\u0000", "port": 21, "service": "ftp", "service_label_fr": "FTP" }, "evidence_snippet": "SO?G\ufffd\ufffd\ufffd,\ufffd\ufffd`~\ufffd\ufffd\ufffd{\ufffd\u0556\ufffdw\ufffd\ufffd\ufffd\ufffd<=\ufffdo\ufffdn(\nfedcba`", "attack_vector": "port 21 tcp \u00b7 via FTP:21 \u00b7 (sonde \/ probe)", "target_port_label": "21 \u00b7 FTP", "emulator_service": "ftp", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_21_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab port_21_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "ftp", "service_label_fr": "FTP", "dst_port": 21, "protocol_emulated": true, "tags_summary": [ "pat-0348" ], "tags_summary_labels_fr": [ "pat-0348" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-ftp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "ftp_auth_fr": "Sonde protocole FTP", "payload_preview": "\u0016\u0003\u0000\u0000S\u0001\u0000\u0000O\u0003\u0000?G\ufffd\ufffd\ufffd,\ufffd\ufffd`~\ufffd\u0000\ufffd\ufffd{\ufffd\u0556\ufffdw\ufffd\ufffd\ufffd\ufffd<=\ufffdo\ufffd\u0010n\u0000\u0000(\u0000\u0016\u0000\u0013\u0000\n\u0000f\u0000\u0005\u0000\u0004\u0000e\u0000d\u0000c\u0000b\u0000a\u0000`\u0000\u0015\u0000\u0012\u0000\t\u0000\u0014\u0000\u0011\u0000\b\u0000\u0006\u0000\u0003\u0001\u0000", "port": 21, "service": "ftp", "service_label_fr": "FTP" }, "attack_vector": "port 21 tcp \u00b7 via FTP:21 \u00b7 (sonde \/ probe)", "evidence_snippet": "SO?G\ufffd\ufffd\ufffd,\ufffd\ufffd`~\ufffd\ufffd\ufffd{\ufffd\u0556\ufffdw\ufffd\ufffd\ufffd\ufffd<=\ufffdo\ufffdn(\nfedcba`", "target_port_label": "21 \u00b7 FTP", "emulator_service": "ftp", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ftp", "service_banner": "honeypot-ftp", "service_os": "linux", "dst_port": "21" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "ftp_emulated", "net_ftp_probe", "tls_clienthello" ], "asn_dc_heuristic": true }
16/06/2026 02:50:29 UTC	TCP	21 · FTP	ftp	Sonde FTP ftp probe · via FTP:21 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Sonde protocole FTP Émulateur FTP WAF — Recommandation Surveiller Tags ftp_emulated net_ftp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 21 Chemin / cible — Service FTP Payload ��SMBr@@�PC NETWORK PROGRAM 1.0MICROSOFT NETWORKS 1.03MICROSOFT NETWORKS 3.0LANMAN1.0LM1. Pourquoi cette classification : Type « ftp_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0771 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��SMBr@@�PC NETWORK PROGRAM 1.0MICROSOFT NETWORKS 1.03MICROSOFT NETWORKS 3.0LANMAN1.0LM1. Requête brute (extrait) ��SMBr@@�PC NETWORK PROGRAM 1.0MICROSOFT NETWORKS 1.03MICROSOFT NETWORKS 3.0LANMAN1.0LM1.2X002SambaNT LANMAN 1.0NT LM 0.12 Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f7420465450205365727665722072656164792e0d0a35303020556e6b6e6f776e20636f6d6d616e642e0d0a", "emulator_response_len": 54, "bytes_in": 168, "payload_entropy": 4.517824025292926, "port_category": "well_known", "org": "Google LLC", "service": "ftp", "app_proto": "ftp", "asn": 396982, "country": "BE", "dst_port": 21, "risk_waf": 8, "risk_classification": 46, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 36, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.1, "risk_breakdown": { "waf": 8, "classification": 46, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "0e3137812f19bf14aa1acaa110935b990e3b112f", "event_fingerprint": "07fdc90e0dd65f1bc1a6bace3f4b4df61a0c8659", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0771" ], "classification_reason": "Type \u00ab ftp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 46, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 15, "risk_score": 45 }, "service_name": "ftp", "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c8b954e7bc1bc076c8d1bd64820e67f", "path_pattern_hash": "927e5cb33ffc245351b0aac1c306b95c" }, "target_context": { "dst_port": 21, "service": "ftp", "service_name": "ftp", "risk_score": 45 }, "payload_preview": "\u0000\u0000\u0000\ufffd\ufffdSMBr\u0000\u0000\u0000\u0000\b\u0001@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0006\u0000\u0000\u0001\u0000\u0000\ufffd\u0000\u0002PC NETWORK PROGRAM 1.0\u0000\u0002MICROSOFT NETWORKS 1.03\u0000\u0002MICROSOFT NETWORKS 3.0\u0000\u0002LANMAN1.0\u0000\u0002LM1.", "request_sample": "\u0000\u0000\u0000\ufffd\ufffdSMBr\u0000\u0000\u0000\u0000\b\u0001@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0006\u0000\u0000\u0001\u0000\u0000\ufffd\u0000\u0002PC NETWORK PROGRAM 1.0\u0000\u0002MICROSOFT NETWORKS 1.03\u0000\u0002MICROSOFT NETWORKS 3.0\u0000\u0002LANMAN1.0\u0000\u0002LM1.2X002\u0000\u0002Samba\u0000\u0002NT LANMAN 1.0\u0000\u0002NT LM 0.12\u0000", "payload_snippet": "\u0000\u0000\u0000\ufffd\ufffdSMBr\u0000\u0000\u0000\u0000\b\u0001@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0006\u0000\u0000\u0001\u0000\u0000\ufffd\u0000\u0002PC NETWORK PROGRAM 1.0\u0000\u0002MICROSOFT NETWORKS 1.03\u0000\u0002MICROSOFT NETWORKS 3.0\u0000\u0002LANMAN1.0\u0000\u0002LM1.", "evidence": { "request_sample": "\u0000\u0000\u0000\ufffd\ufffdSMBr\u0000\u0000\u0000\u0000\b\u0001@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0006\u0000\u0000\u0001\u0000\u0000\ufffd\u0000\u0002PC NETWORK PROGRAM 1.0\u0000\u0002MICROSOFT NETWORKS 1.03\u0000\u0002MICROSOFT NETWORKS 3.0\u0000\u0002LANMAN1.0\u0000\u0002LM1.2X002\u0000\u0002Samba\u0000\u0002NT LANMAN 1.0\u0000\u0002NT LM 0.12\u0000", "payload_snippet": "\u0000\u0000\u0000\ufffd\ufffdSMBr\u0000\u0000\u0000\u0000\b\u0001@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0006\u0000\u0000\u0001\u0000\u0000\ufffd\u0000\u0002PC NETWORK PROGRAM 1.0\u0000\u0002MICROSOFT NETWORKS 1.03\u0000\u0002MICROSOFT NETWORKS 3.0\u0000\u0002LANMAN1.0\u0000\u0002LM1.", "classification_reason": "Type \u00ab ftp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "78037bab6e6d94c81bc120f9ae38e23ec1ba9eb0", "protocol_details": { "ftp_auth_fr": "Sonde protocole FTP", "payload_preview": "\u0000\u0000\u0000\ufffd\ufffdSMBr\u0000\u0000\u0000\u0000\b\u0001@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0006\u0000\u0000\u0001\u0000\u0000\ufffd\u0000\u0002PC NETWORK PROGRAM 1.0\u0000\u0002MICROSOFT NETWORKS 1.03\u0000\u0002MICROSOFT NETWORKS 3.0\u0000\u0002LANMAN1.0\u0000\u0002LM1.", "port": 21, "service": "ftp", "service_label_fr": "FTP" }, "evidence_snippet": "\ufffd\ufffdSMBr@@\ufffdPC NETWORK PROGRAM 1.0MICROSOFT NETWORKS 1.03MICROSOFT NETWORKS 3.0LANMAN1.0LM1.", "attack_vector": "ftp probe \u00b7 via FTP:21 \u00b7 (sonde \/ probe)", "target_port_label": "21 \u00b7 FTP", "emulator_service": "ftp", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab ftp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab ftp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 46, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 15, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "ftp", "service_label_fr": "FTP", "dst_port": 21, "protocol_emulated": true, "tags_summary": [ "pat-0771" ], "tags_summary_labels_fr": [ "pat-0771" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-ftp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "ftp_auth_fr": "Sonde protocole FTP", "payload_preview": "\u0000\u0000\u0000\ufffd\ufffdSMBr\u0000\u0000\u0000\u0000\b\u0001@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0006\u0000\u0000\u0001\u0000\u0000\ufffd\u0000\u0002PC NETWORK PROGRAM 1.0\u0000\u0002MICROSOFT NETWORKS 1.03\u0000\u0002MICROSOFT NETWORKS 3.0\u0000\u0002LANMAN1.0\u0000\u0002LM1.", "port": 21, "service": "ftp", "service_label_fr": "FTP" }, "attack_vector": "ftp probe \u00b7 via FTP:21 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdSMBr@@\ufffdPC NETWORK PROGRAM 1.0MICROSOFT NETWORKS 1.03MICROSOFT NETWORKS 3.0LANMAN1.0LM1.", "target_port_label": "21 \u00b7 FTP", "emulator_service": "ftp", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ftp", "service_banner": "honeypot-ftp", "service_os": "linux", "dst_port": "21" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "ftp_emulated", "net_ftp_probe" ], "asn_dc_heuristic": true }
16/06/2026 02:50:28 UTC	TCP	21 · FTP	ftp	Sonde port 21/TCP port 21 tcp · via FTP:21 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Sonde protocole FTP Émulateur FTP WAF — Recommandation Surveiller Tags ftp_emulated net_ftp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 21 Chemin / cible — Preuve honeypot — Sonde port 21/TCP Connexion détectée sur le port 21 (TCP) du capteur simulé. Service FTP Pourquoi cette classification : Type « port_21_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 40 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f7420465450205365727665722072656164792e0d0a35303020556e6b6e6f776e20636f6d6d616e642e0d0a", "emulator_response_len": 54, "bytes_in": 4, "payload_entropy": 1, "port_category": "well_known", "org": "Google LLC", "service": "ftp", "app_proto": "ftp", "asn": 396982, "country": "BE", "dst_port": 21, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.1, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0 }, "risk_score": 40, "tag_count": 2, "anomaly_count": 0, "campaign_key": "0e3137812f19bf14aa1acaa110935b990e3b112f", "event_fingerprint": "07fdc90e0dd65f1bc1a6bace3f4b4df61a0c8659", "classification_reason": "Type \u00ab port_21_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0, "risk_score": 40 }, "named_classification_skipped": true, "named_candidate": "ftp_probe", "service_name": "ftp", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "dba5166ad9db9ba648c1032ebbd34dcd", "path_pattern_hash": "859ddb95f048d27beffd6a8201284af6" }, "target_context": { "dst_port": 21, "service": "ftp", "service_name": "ftp", "risk_score": 40 }, "payload_preview": "\r\n\r\n", "request_sample": "\r\n\r\n", "evidence": { "request_sample": "\r\n\r\n", "classification_reason": "Type \u00ab port_21_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1a72d8053986b752a145decd9c77d9cf6b965278", "protocol_details": { "ftp_auth_fr": "Sonde protocole FTP", "port": 21, "service": "ftp", "service_label_fr": "FTP" }, "attack_vector": "port 21 tcp \u00b7 via FTP:21 \u00b7 (sonde \/ probe)", "target_port_label": "21 \u00b7 FTP", "emulator_service": "ftp", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_21_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_21_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "ftp", "service_label_fr": "FTP", "dst_port": 21, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-ftp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ftp_auth_fr": "Sonde protocole FTP", "port": 21, "service": "ftp", "service_label_fr": "FTP" }, "attack_vector": "port 21 tcp \u00b7 via FTP:21 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "21 \u00b7 FTP", "emulator_service": "ftp", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ftp", "service_banner": "honeypot-ftp", "service_os": "linux", "dst_port": "21" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "ftp_emulated", "net_ftp_probe" ], "asn_dc_heuristic": true }
16/06/2026 02:50:24 UTC	TCP	21 · FTP	ftp	Sonde port 21/TCP port 21 tcp · via FTP:21 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Sonde protocole FTP Émulateur FTP WAF — Recommandation Surveiller Tags ftp_emulated net_ftp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 21 Chemin / cible — Preuve honeypot — Sonde port 21/TCP Connexion détectée sur le port 21 (TCP) du capteur simulé. Service FTP Pourquoi cette classification : Type « port_21_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 40 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f7420465450205365727665722072656164792e0d0a", "emulator_response_len": 32, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "well_known", "org": "Google LLC", "service": "ftp", "app_proto": "ftp", "asn": 396982, "country": "BE", "dst_port": 21, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.1, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0 }, "risk_score": 40, "tag_count": 2, "anomaly_count": 0, "campaign_key": "0e3137812f19bf14aa1acaa110935b990e3b112f", "event_fingerprint": "07fdc90e0dd65f1bc1a6bace3f4b4df61a0c8659", "classification_reason": "Type \u00ab port_21_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0, "risk_score": 40 }, "named_classification_skipped": true, "named_candidate": "ftp_probe", "service_name": "ftp", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "859ddb95f048d27beffd6a8201284af6" }, "target_context": { "dst_port": 21, "service": "ftp", "service_name": "ftp", "risk_score": 40 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "aef850f2f0f56e7728957dd601186b911e4bde66", "protocol_details": { "ftp_auth_fr": "Sonde protocole FTP", "port": 21, "service": "ftp", "service_label_fr": "FTP" }, "attack_vector": "port 21 tcp \u00b7 via FTP:21 \u00b7 (sonde \/ probe)", "target_port_label": "21 \u00b7 FTP", "emulator_service": "ftp", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_21_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_21_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "ftp", "service_label_fr": "FTP", "dst_port": 21, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-ftp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ftp_auth_fr": "Sonde protocole FTP", "port": 21, "service": "ftp", "service_label_fr": "FTP" }, "attack_vector": "port 21 tcp \u00b7 via FTP:21 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "21 \u00b7 FTP", "emulator_service": "ftp", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ftp", "service_banner": "honeypot-ftp", "service_os": "linux", "dst_port": "21" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "ftp_emulated", "net_ftp_probe" ], "asn_dc_heuristic": true }

Réputation

Sécurité avancée

Offensive / Recon

Sécurité

DNS

Réseau

E-mail

IP

Utilitaires

34.140.246.96

Profil de menace

Pourquoi listée

Comparaison ASN / FAI

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence